Merge pull request #545 from favicode/fix/js-xss

Fix javascript #544

Author: vvuksan

Diff for: view/adminhtml/web/js/edge-acl.js

@@ -6,8 +6,9 @@ define([
     "showErrorMessage",
     "showSuccessMessage",
     "Magento_Ui/js/modal/confirm",
+    'underscore',
     'mage/translate'
-], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, showSuccessMessage, confirm) {
+], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, showSuccessMessage, confirm, _) {
     return function (config, serviceStatus, isAlreadyConfigured) {
 
         /* ACL button messages */
@@ -371,8 +372,8 @@ define([
                                 }
                                 let created_at = new Date(item.created_at);
                                 itemsHtml += '<tr><td>' +
-                                    '<input name="value" data-type="acl" data-id="'+ item.id +'" value="'+ ip_output +'" class="input-text admin__control-text acl-items-field" type="text" disabled></td>' +
-                                    '<td><input name="comment" data-type="acl" value="'+ item.comment +'" class="input-text admin__control-text acl-comment" type="text" disabled></td>' +
+                                    '<input name="value" data-type="acl" data-id="'+ _.escape(item.id) +'" value="'+ _.escape(ip_output) +'" class="input-text admin__control-text acl-items-field" type="text" disabled></td>' +
+                                    '<td><input name="comment" data-type="acl" value="'+ _.escape(item.comment) +'" class="input-text admin__control-text acl-comment" type="text" disabled></td>' +
                                     '<td><div class="admin__control-text dialog-item acl-date">' + created_at.toUTCString() + '</div></td>' +
                                     '<td class="col-actions">' +
                                     '<button class="action-delete fastly-edit-action edit_acl_item"  title="Edit" type="button"><span>Edit</span></button>' +

Diff for: view/adminhtml/web/js/edge-dictionaries.js

@@ -6,8 +6,9 @@ define([
     "showErrorMessage",
     "showSuccessMessage",
     "Magento_Ui/js/modal/confirm",
+    'underscore',
     'mage/translate'
-], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, showSuccessMessage, confirm) {
+], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, showSuccessMessage, confirm, _) {
     return function (config, serviceStatus, isAlreadyConfigured) {
 
         /* Dictionary button messages */
@@ -341,8 +342,8 @@ define([
                         if (response.dictionaryItems.length > 0) {
                             $.each(response.dictionaryItems, function (index, item) {
                                 itemsHtml += '<tr><td>' +
-                                    '<input name="key" value="'+ item.item_key +'" class="input-text admin__control-text dictionary-items-field" type="text" disabled></td>' +
-                                    '<td><input name="value" data-type="dictionary" value="'+ item.item_value +'" class="input-text admin__control-text dictionary-items-field" type="text"></td>' +
+                                    '<input name="key" value="'+ _.escape(item.item_key) +'" class="input-text admin__control-text dictionary-items-field" type="text" disabled></td>' +
+                                    '<td><input name="value" data-type="dictionary" value="'+ _.escape(item.item_value) +'" class="input-text admin__control-text dictionary-items-field" type="text"></td>' +
                                     '<td class="col-actions">' +
                                     '<button class="action-delete fastly-save-action save_dictionary_item" title="Save" type="button"><span>Save</span></button>' +
                                     '<button class="action-delete remove_dictionary_item"  title="Delete" type="button"><span>Delete</span></button>' +

Diff for: view/adminhtml/web/js/log-endpoints.js

@@ -4,9 +4,10 @@ define([
     "overlay",
     "resetAllMessages",
     "showErrorMessage",
+    'underscore',
     'mage/translate',
     'mage/validation'
-], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage) {
+], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, _) {
     return function (config, serviceStatus, isAlreadyConfigured) {
 
         let active_version = serviceStatus.active_version;
@@ -102,7 +103,7 @@ define([
                         html += '<option value="">no condition</option>';
                         $.each(conditions, function (index, condition) {
                             if (condition.type === "REQUEST") {
-                                html += '<option value="'+condition.name+'">'+condition.name+' ('+condition.type+') '+condition.statement+'</option>';
+                                html += '<option value="'+_.escape(condition.name)+'">'+_.escape(condition.name)+' ('+condition.type+') '+_.escape(condition.statement)+'</option>';
                             }
                         });
                     }
@@ -121,10 +122,10 @@ define([
             $.each(endpoints, function (index, endpoint) {
                 let html = '<tr>' +
                     '<td>' +
-                        '<input value="' + endpoint.label + '" disabled="disabled" class="input-text" type="text"/>' +
+                        '<input value="' + _.escape(endpoint.label) + '" disabled="disabled" class="input-text" type="text"/>' +
                     '</td>' +
                     '<td class="col-actions">' +
-                        '<button class="action-delete fastly-edit-log-endpoint" type="button" title="Edit Log Endpoint" data-endpoint-type="' + endpoint.type + '" data-endpoint-name="' + endpoint.name + '"></button>' +
+                        '<button class="action-delete fastly-edit-log-endpoint" type="button" title="Edit Log Endpoint" data-endpoint-type="' + _.escape(endpoint.type) + '" data-endpoint-name="' + _.escape(endpoint.name) + '"></button>' +
                     '</td>';
                 $('#fastly-log-endpoints-list').append(html);
             });

Diff for: view/adminhtml/web/js/rate-limiting.js

@@ -5,8 +5,9 @@ define([
     "resetAllMessages",
     "showErrorMessage",
     "showSuccessMessage",
+    'underscore',
     'mage/translate'
-], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, showSuccessMessage) {
+], function ($, setServiceLabel, overlay, resetAllMessages, showErrorMessage, showSuccessMessage, _) {
     return function (config, serviceStatus, isAlreadyConfigured) {
 
         let active_version = serviceStatus.active_version;
@@ -129,8 +130,8 @@ define([
                             if (paths.length > 0) {
                                 $.each(paths, function (index, data) {
                                     pathsHtml += '<tr><td>' +
-                                        '<input name="path[]" data-type="path" value="' + data.path + '" class="input-text admin__control-text path-field" type="text"></td>' +
-                                        '<td><input name="comment[]" data-type="path" value="' + data.comment + '" class="input-text admin__control-text path-comment" type="text"></td>' +
+                                        '<input name="path[]" data-type="path" value="' + _.escape(data.path) + '" class="input-text admin__control-text path-field" type="text"></td>' +
+                                        '<td><input name="comment[]" data-type="path" value="' + _.escape(data.comment) + '" class="input-text admin__control-text path-comment" type="text"></td>' +
                                         '<td class="col-actions">' +
                                         '<button class="action-delete remove_path"  title="Delete" type="button"><span>Delete</span></button>' +
                                         '</td></tr>';