diff options
Diffstat (limited to '')
| -rw-r--r-- | web/gui/goto-host-from-alarm.html (renamed from web/goto-host-from-alarm.html) | 49 |
1 files changed, 42 insertions, 7 deletions
diff --git a/web/goto-host-from-alarm.html b/web/gui/goto-host-from-alarm.html index 40592134b..5eb66b5d0 100644 --- a/web/goto-host-from-alarm.html +++ b/web/gui/goto-host-from-alarm.html @@ -1,4 +1,5 @@ <!DOCTYPE html> +<!-- SPDX-License-Identifier: GPL-3.0-or-later --> <html lang="en"> <head> <title>Goto a host you know...</title> @@ -21,6 +22,40 @@ <script type="text/javascript" src="dashboard.js?v20170724-7"></script> <script> +function escapeUserInputHTML(s) { + return s.toString() + .replace(/&/g, '&') + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/"/g, '"') + .replace(/#/g, '#') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')') + .replace(/\//g,'/'); +} + +// if string.startsWith is not defined, define it +if(typeof String.prototype.startsWith !== 'function') { + String.prototype.startsWith = function(s) { + if(s.length > this.length) return false; + return this.slice(s.length) === s; + }; +} + +function verifyURL(s) { + if(typeof(s) === 'string' && (s.startsWith('http://') || s.startsWith('https://'))) + return s + .replace(/'/g, '%22') + .replace(/"/g, '%27') + .replace(/\)/g, '%28') + .replace(/\(/g, '%29'); + + console.log('invalid URL detected:'); + console.log(s); + return 'javascript:alert("invalid url");'; +} + var urlOptions = { host: null, chart: null, @@ -86,7 +121,7 @@ function gotoServerValidateUrl(id, guid, url) { var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + finalURL + '" target="_blank">' + url + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + verifyURL(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -99,11 +134,11 @@ function gotoServerValidateUrl(id, guid, url) { if(gotoServerMiddleClick) { window.open(finalURL); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + finalURL + '">' + url + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + verifyURL(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { - document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + url + '</small>'; - document.location = finalURL; + document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; + document.location = verifyURL(finalURL); } } } @@ -119,7 +154,7 @@ function gotoServerValidateUrl(id, guid, url) { if(thisIsHttps === true && urlsInHttp > 0) { document.getElementById('gotoServerResponse').innerHTML += '<br/>redirecting myself to HTTP to allow checking'; - document.location = document.location.toString().replace('https://', 'http://'); + document.location = verifyURL(document.location.toString().replace('https://', 'http://')); } } } @@ -184,13 +219,13 @@ var netdataRegistryCallback = function(machines_array) { } } - document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + urlOptions.host + '</b>'; + document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputHTML(urlOptions.host) + '</b>'; }; netdataQueryParse(); </script> <body> -<div class="container" id=""> +<div class="container"> <div id="bodylog" style="padding-top: 8vmax; font-size: 2.0vmax;"> <span id="message">Please wait...</span> |