Skip to content

Commit ec27ecc

Browse files
committed
admin/nodes: escape quotes in esc() for attribute-context XSS (CodeQL)
1 parent aaa17ae commit ec27ecc

1 file changed

Lines changed: 6 additions & 1 deletion

File tree

controlplane/admin/ui/src/pages/nodes/peepernetes.ts

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -288,7 +288,12 @@ export function mountPeepernetes(root: HTMLElement): () => void {
288288

289289
// ── event ticker ───────────────────────────────────────
290290
const evBox = $("#events");
291-
const esc = (s: any): string => String(s).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
291+
// Escapes for BOTH text and attribute contexts (esc(p) is interpolated into a
292+
// data-pool="…" attribute), so quotes must be escaped too or a pool/label name
293+
// containing a double-quote could break out of the attribute (CodeQL XSS).
294+
const esc = (s: any): string => String(s)
295+
.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;")
296+
.replace(/"/g, "&quot;").replace(/'/g, "&#39;");
292297
const evLog: any[] = [];
293298
function renderEvRow(e: any, animate: boolean): HTMLDivElement {
294299
const row = document.createElement("div");

0 commit comments

Comments
 (0)