From 39c00d32717857c61a1fb9bc1e66e330dc82f418 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Fri, 13 Sep 2024 09:21:07 -0400 Subject: [PATCH] Backport of [ui] Simple url sanitization for get-env and document.cookie into release/1.19.x (#21721) backport of commit 9fb851ddd2dd0a1a53d8dda9a98fa787af3fc068 Co-authored-by: Phil Renaud --- .changelog/21711.txt | 3 +++ .../consul-ui/app/utils/get-environment.js | 26 ++++++++++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 .changelog/21711.txt diff --git a/.changelog/21711.txt b/.changelog/21711.txt new file mode 100644 index 0000000000..b3ab185a2a --- /dev/null +++ b/.changelog/21711.txt @@ -0,0 +1,3 @@ +```release-note:security +Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. +``` diff --git a/ui/packages/consul-ui/app/utils/get-environment.js b/ui/packages/consul-ui/app/utils/get-environment.js index 91195d8962..ebfc1763e6 100644 --- a/ui/packages/consul-ui/app/utils/get-environment.js +++ b/ui/packages/consul-ui/app/utils/get-environment.js @@ -4,6 +4,19 @@ */ import { runInDebug } from '@ember/debug'; +import { htmlSafe } from '@ember/template'; + +function sanitizeString(str) { + return htmlSafe( + String(str) + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + ); +} + // 'environment' getter // there are currently 3 levels of environment variables: // 1. Those that can be set by the user by setting localStorage values @@ -58,9 +71,16 @@ export default function (config = {}, win = window, doc = document) { } else { str = cookies(doc.cookie).join(';'); const tab = win.open('', '_blank'); - tab.document.write( - `
${location.href}#${str}

Scenario` - ); + if (tab) { + const safeLocationHref = sanitizeString(location.href); + const safeStr = sanitizeString(str); + tab.document.write(` + +
${safeLocationHref}#${safeStr}

+ Scenario + + `); + } } };