Merge pull request #5846 from Rangashivani/master

[PPP-5604]-XSS Findings For Pentaho-platform
pentaho · Feb 21, 2025 · 2a057c5 · 2a057c5
2 parents 50ee68f + df22753
commit 2a057c5
Show file tree

Hide file tree

Showing 8 changed files with 15 additions and 209 deletions.
diff --git a/assemblies/pentaho-war/src/main/webapp/js/ajaxslt/dom.js b/assemblies/pentaho-war/src/main/webapp/js/ajaxslt/dom.js
@@ -74,7 +74,7 @@ function xmlResolveEntities(s) {
         // through the W3C DOM. W3C DOM access is specified to resolve
         // entities. 
         var span = window.document.createElement('span');
-        span.innerHTML = '&' + rp[0] + '; ';
+        pho.util.xss.setHtml(span, '&' + rp[0] + '; ');
         ch = span.childNodes[0].nodeValue.charAt(0);
     }
     ret += ch + rp[1];

diff --git a/assemblies/pentaho-war/src/main/webapp/js/google-demo.js b/assemblies/pentaho-war/src/main/webapp/js/google-demo.js
@@ -1,197 +0,0 @@
-/*! ******************************************************************************
- *
- * Pentaho
- *
- * Copyright (C) 2024 by Hitachi Vantara, LLC : http://www.pentaho.com
- *
- * Use of this software is governed by the Business Source License included
- * in the LICENSE.TXT file.
- *
- * Change Date: 2029-07-20
- ******************************************************************************/
-
-
-var map;
-	var redicon;
-	var yellowicon;
-	var greenicon;
-	var topThreshold = 100000;
-	var bottomThreshold = 50000;
-	var points = new Array();
-
-	var icon;
-
- var geocoder = new GClientGeocoder();
-
-
-icon = new GIcon();
-icon.image = "http://labs.google.com/ridefinder/images/mm_20_red.png";
-icon.shadow = "http://labs.google.com/ridefinder/images/mm_20_shadow.png";
-icon.iconSize = new GSize(12, 20);
-icon.shadowSize = new GSize(22, 20);
-icon.iconAnchor = new GPoint(6, 20);
-icon.infoWindowAnchor = new GPoint(5, 1);
-redicon = icon;
-
-icon = new GIcon();
-icon.image = "http://labs.google.com/ridefinder/images/mm_20_yellow.png";
-icon.shadow = "http://labs.google.com/ridefinder/images/mm_20_shadow.png";
-icon.iconSize = new GSize(12, 20);
-icon.shadowSize = new GSize(22, 20);
-icon.iconAnchor = new GPoint(6, 20);
-icon.infoWindowAnchor = new GPoint(5, 1);
-yellowicon = icon;
-
-icon = new GIcon();
-icon.image = "http://labs.google.com/ridefinder/images/mm_20_green.png";
-icon.shadow = "http://labs.google.com/ridefinder/images/mm_20_shadow.png";
-icon.iconSize = new GSize(12, 20);
-icon.shadowSize = new GSize(22, 20);
-icon.iconAnchor = new GPoint(6, 20);
-icon.infoWindowAnchor = new GPoint(5, 1);
-greenicon = icon;
-
-    function load() {
-      if (GBrowserIsCompatible()) {
-        map = new GMap2(document.getElementById("map"));
-        map.setCenter(new GLatLng(37.4419, -95), 4);
-		map.addControl(new GSmallMapControl());
-		map.addControl(new GMapTypeControl());
-		addPoints();
-	  }
-	}
-
-
-	function customerClick( ) {
-
-		pentahoAction( "steel-wheels", "google", "dial.xaction", 
-				new Array( 
-					new Array( "customer", currentRecord[7] ),
-					new Array( "value", currentRecord[4] ),
-					new Array( "max", 200000 ),
-					new Array( "low", bottomThreshold ),
-					new Array( "high", topThreshold )
-				), 
-				'updateInfoWindow'
-		);
-
-	}
-
-	function updateInfoWindow( content ) {
-		currentMarker.openInfoWindowHtml("<table border='0' width='375' cellpadding='0' cellspacing='0'><tr><td rowspan='2' height='125' width='250' style='xborder-right:1px solid #bbbbbb'><table><tr><td nowrap>Customer:</td><td nowrap>" + currentRecord[7] + "</td></tr><tr><td nowrap>Name:</td><td nowrap>" + currentRecord[3] + "</td></tr><tr><td nowrap>Location:</td><td nowrap>"+currentRecord[2]+"</td></tr><tr><td nowrap>Current Sales:</td><td nowrap>"+currentRecord[4]+"</td></tr></table></td><td colspan='2' valign='top' width='125'>"+content+"</td></tr><tr><td>0</td><td style='text-align:right'>200,000</td></tr></table>");
-		pentahoAction( "steel-wheels", "google", "chart.xaction", 
-				new Array( new Array( "customer", currentRecord[7] ) ), 
-				 'updateProductMix'
-		);
-	}
-
-	function updateProductMix( content ) {
-		document.getElementById( 'details-div' ).style.display='block';
-		document.getElementById( 'details-cell1' ).innerHTML=content;
-		pentahoAction( "steel-wheels", "google", "customer_details.xaction", 
-				new Array( new Array( "customer", currentRecord[7] ) ), 
-				 'updateHistory'
-		);
-	}
-
-	function updateHistory( content ) {
-		document.getElementById( 'details-div' ).style.display='block';
-		document.getElementById( 'details-cell2' ).innerHTML=content;
-	}
-
-function showAddress(address, name, custNum, value, selected) {
-	geocoder.getLatLng(
-		address,
-		function(point) {
-			if (!point) {
-//				alert(address + " not found");
-			} else {
-				var record = new Array( null, point, address, name, value, selected, null, custNum );
-				points.push( record );
-				showMarker( null, null, record );
-			}
-		}
-	);
-}
-
-	function showMarker( oldMarker, oldIcon, record ) {
-			var icon;
-			var value = record[4];
-			var point = record[1];
-			if( value < bottomThreshold ) {
-				icon = redicon;
-			}
-			else if( value > topThreshold ) {
-				icon = greenicon;
-			} else {
-				icon = yellowicon;
-			}
-			if( icon == oldIcon ) {
-				// this marker has not changed so return the old one
-				return oldMarker;
-			}
-			record[5] = icon;
-			// this marker has changed so remove it
-			if ( oldMarker ) {
-				map.removeOverlay( oldMarker );
-			}
-			// create a new marker with a click listener
-			var marker = new GMarker(point, icon);
-			map.addOverlay(marker);
-			GEvent.addListener(marker, "click", function() {
-				infoWindow( marker, record );
-			});
-			GEvent.addListener(marker, "hide", function() {
-				currentMarker = null;
-				alert( 1 );
-			});
-			return marker;
-	}
-
-	var currentMarker = null;
-	var currentRecord = null;
-
-
-	function infoWindow( marker, record ) {
-		currentMarker = marker;
-		currentRecord = record;
-		customerClick( );
-	}
-
-	function update(topChange) {
-		// repaint all of the points using the 
-		var n = points.length;
-
-		var idx1 = document.getElementById('topthreshold').selectedIndex;
-		var idx2 = document.getElementById('bottomthreshold').selectedIndex;
-		if( idx1 < idx2 ) {
-			if( topChange ) {
-				document.getElementById('bottomthreshold').selectedIndex = idx1;
-			} else {
-				document.getElementById('topthreshold').selectedIndex = idx2;
-			}
-		}
-
-		topThreshold = document.getElementById('topthreshold').value;
-		bottomThreshold = document.getElementById('bottomthreshold').value;
-		for( idx=0; idx<n; idx++ ) {
-			var marker = points[idx][0];
-			var icon = points[idx][5];
-			points[idx][0] = showMarker( marker, icon, points[idx] ); 
-		}
-
-		if( currentRecord ) {
-			pentahoAction( "steel-wheels", "google", "dial.xaction", 
-				new Array( 
-					new Array( "customer", name ),
-					new Array( "value", currentRecord[4] ),
-					new Array( "max", 200000 ),
-					new Array( "low", bottomThreshold ),
-					new Array( "high", topThreshold )
-				), 
-				'updateInfoWindow'
-			);
-		}
-
-
-	}

diff --git a/assemblies/pentaho-war/src/main/webapp/js/options.js b/assemblies/pentaho-war/src/main/webapp/js/options.js
@@ -21,11 +21,11 @@ function runInBackground( url, target )
 		url = url + "&background=true";
 		if ( target.toLowerCase().indexOf( 'new' ) >= 0 )
 		{
-			var targetWin = window.open( url );
+			pho.util.xss.open( url );
 		}
 		else
 		{
-			window.location = url;
+			pho.util.xss.setLocation(window, url);
 		}
 	}
 	return undefined;	// forces current page to remain unchanged when target=new

diff --git a/assemblies/pentaho-war/src/main/webapp/js/parameters.js b/assemblies/pentaho-war/src/main/webapp/js/parameters.js
@@ -361,7 +361,7 @@ function executeAction (target, submitUrl) {
 // convert characters from entities like &#305; to display characters (HTML)
 function convertHtmlEntitiesToCharacters(theStr) {
     var newDiv = document.createElement(newDiv);
-    newDiv.innerHTML = theStr;
+    pho.util.xss.setHtml(newDiv, theStr);
     return newDiv.innerHTML;
 }
 

diff --git a/assemblies/pentaho-war/src/main/webapp/js/src/html/util.js b/assemblies/pentaho-war/src/main/webapp/js/src/html/util.js
@@ -210,7 +210,7 @@ dojo.html.createNodesFromText = function(/* string */txt, /* boolean? */trim){
 		txt = "<table>" + txt + "</table>";
 		tableType = "section";
 	}
-	tn.innerHTML = txt;
+	pho.util.xss.setHtml(tn, txt);
 	if(tn["normalize"]){
 		tn.normalize();
 	}

diff --git a/assemblies/pentaho-war/src/main/webapp/js/utils.js b/assemblies/pentaho-war/src/main/webapp/js/utils.js
@@ -263,7 +263,8 @@ function refreshDatePicker(dateFieldName, year, month, day)
   // now, the days of the month
   do {
     dayNum = thisDay.getDate();
-    TD_onclick = " onclick=\"updateDateField('" + dateFieldName + "', '" + getDateString(thisDay) + "');\">";
+    const TD_onclick = " onclick=\"updateDateField('" + pho.util.xss.encodeForJavaScript(dateFieldName) +
+ "', '" + getDateString(thisDay) + "');\">";
 
     if (dayNum == day)
       html += TD_selected + TD_onclick + DIV_selected + dayNum + xDIV + xTD;
@@ -296,7 +297,7 @@ function refreshDatePicker(dateFieldName, year, month, day)
   // and finally, close the table
   html += xTABLE;
 
-  document.getElementById(datePickerDivID).innerHTML = html;
+  pho.util.xss.setHtmlUnsafe(document.getElementById(datePickerDivID), html);
   // add an "iFrame shim" to allow the datepicker to display above selection lists
   adjustiFrame();
 }
@@ -315,7 +316,8 @@ function getButtonCode(dateFieldName, dateVal, adjust, label)
     newYear += -1;
   }
 
-  return "<button class='dpButton' onClick='refreshDatePicker(\"" + dateFieldName + "\", " + newYear + ", " + newMonth + ");'>" + label + "</button>";
+  return "<button class='dpButton' onClick='refreshDatePicker(\"" + pho.util.xss.encodeForJavaScript(dateFieldName) +
+ "\", " + newYear + ", " + newMonth + ");'>" + label + "</button>";
 }
 
 

diff --git a/user-console/src/main/resources/org/pentaho/mantle/public/home/content/welcome/js/main.js b/user-console/src/main/resources/org/pentaho/mantle/public/home/content/welcome/js/main.js
@@ -51,7 +51,7 @@ CCP.liveChat = function(){
 		pucOpenTab( name, title, url );
 	}
 	else {
-		window.open( url );
+		pho.util.xss.open( url );
 	}
 }
 

diff --git a/user-console/src/main/resources/org/pentaho/mantle/public/home/js/gettingStarted.js b/user-console/src/main/resources/org/pentaho/mantle/public/home/js/gettingStarted.js
@@ -14,8 +14,9 @@
 define([
   "common-ui/util/ContextProvider",
   "common-ui/util/BootstrappedTabLoader",
-  "common-ui/util/HandlebarsCompiler"
-], function (ContextProvider, BootstrappedTabLoader, HandlebarsCompiler) {
+  "common-ui/util/HandlebarsCompiler",
+  "common-ui/util/xss"
+], function (ContextProvider, BootstrappedTabLoader, HandlebarsCompiler, xssUtil) {
 
   var brightCoveVideoTemplate =
       '<iframe src="https://players.brightcove.net/4680021553001/default_default/index.html?videoId={{videoId}}&autoplay=true"' +
@@ -207,7 +208,7 @@ define([
 
     launchLink.unbind("click");
     launchLink.bind("click", function () {
-      window.open(href, "_blank");
+      xssUtil.open(href, "_blank");
     });
   }
-Original file line number
+Diff line change
@@ Expand Up / @@ -51,7 +51,7 @@ CCP.liveChat = function(){ @@
     		pucOpenTab( name, title, url );
     	}
     	else {
-    		window.open( url );
+    		pho.util.xss.open( url );
     	}
     }
@@ Expand Down @@