[PPP-5351]-XSS Findings For Data-Access ,Pentaho-platform-plugin-dashboards

Rangashivani · Rangashivani · commit a6c46eefb74f · 2024-10-28T11:30:02.000Z
diff --git a/assemblies/data-access-plugin/src/main/resources/resources/web/messages/Messages.js b/assemblies/data-access-plugin/src/main/resources/resources/web/messages/Messages.js
@@ -12,9 +12,10 @@
 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU Lesser General Public License for more details.
 *
-* Copyright (c) 2002-2017 Hitachi Vantara..  All rights reserved.
+* Copyright (c) 2002-2024 Hitachi Vantara..  All rights reserved.
 */
 
+define(["common-ui/util/xss"], function(xssUtil) {
 Messages = function()
 {
 };
@@ -49,7 +50,7 @@ Messages.entityDecoder=document.createElement('textarea');
 Messages.html_entity_decode = function(str)
 {
     try{
-        Messages.entityDecoder.innerHTML = str; 
+        xssutil.setHtml(Messages.entityDecoder, str)
         var value = Messages.entityDecoder.value;
         value = unescape(value);
         return value;
@@ -117,8 +118,9 @@ var cnt = 0;
 		element = elementOrId;
 	}
 	if (element) {
-		element.innerHTML = Messages.getString(msgKey);
+		xssutil.setHtml(element, Messages.getString(msgKey));
 	}
 };
 /* static init */
 Messages.init();
+});

Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,10 @@`
`12`	`12`	`* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.`
`13`	`13`	`* See the GNU Lesser General Public License for more details.`
`14`	`14`	`*`
`15`		`-* Copyright (c) 2002-2017 Hitachi Vantara.. All rights reserved.`
	`15`	`+* Copyright (c) 2002-2024 Hitachi Vantara.. All rights reserved.`
`16`	`16`	`*/`
`17`	`17`
	`18`	`+define(["common-ui/util/xss"], function(xssUtil) {`
`18`	`19`	`Messages = function()`
`19`	`20`	`{`
`20`	`21`	`};`
`@@ -49,7 +50,7 @@ Messages.entityDecoder=document.createElement('textarea');`
`49`	`50`	`Messages.html_entity_decode = function(str)`
`50`	`51`	`{`
`51`	`52`	`try{`
`52`		`- Messages.entityDecoder.innerHTML = str;`
	`53`	`+ xssutil.setHtml(Messages.entityDecoder, str)`
`53`	`54`	`var value = Messages.entityDecoder.value;`
`54`	`55`	`value = unescape(value);`
`55`	`56`	`return value;`
`@@ -117,8 +118,9 @@ var cnt = 0;`
`117`	`118`	`element = elementOrId;`
`118`	`119`	`}`
`119`	`120`	`if (element) {`
`120`		`- element.innerHTML = Messages.getString(msgKey);`
	`121`	`+ xssutil.setHtml(element, Messages.getString(msgKey));`
`121`	`122`	`}`
`122`	`123`	`};`
`123`	`124`	`/* static init */`
`124`	`125`	`Messages.init();`
	`126`	`+});`