This is an automated email from the ASF dual-hosted git repository. wuzhiguo pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push: new 2b80356c8b AMBARI-25329: Ambari breadcrumbs xss vulnerability (#3482) 2b80356c8b is described below commit 2b80356c8b760e4e86c5c859c8da850300c3acad Author: Zhiguo Wu <wuzhi...@apache.org> AuthorDate: Fri Nov 11 01:58:36 2022 +0800 AMBARI-25329: Ambari breadcrumbs xss vulnerability (#3482) --- ambari-web/app/views/common/breadcrumbs_view.js | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ambari-web/app/views/common/breadcrumbs_view.js b/ambari-web/app/views/common/breadcrumbs_view.js index ec6e6a64ef..31190c5faf 100644 --- a/ambari-web/app/views/common/breadcrumbs_view.js +++ b/ambari-web/app/views/common/breadcrumbs_view.js @@ -149,8 +149,16 @@ App.BreadcrumbItem = Em.Object.extend({ createLabel() { let label = this.get('label'); let labelBindingPath = this.get('labelBindingPath'); + let formattedLabel; + + if (labelBindingPath) { + formattedLabel = Ember.Handlebars.Utils.escapeExpression(App.get(_getLabelPathWithoutApp(labelBindingPath))); + } else{ + formattedLabel = label; + } + + - let formattedLabel = labelBindingPath ? App.get(_getLabelPathWithoutApp(labelBindingPath)) : label; this.set('formattedLabel', this.labelPostFormat(formattedLabel)); }, @@ -216,7 +224,9 @@ App.BreadcrumbsView = Em.View.extend({ } currentState = currentState.get('parentState'); } - items = items.reverse().map(item => App.BreadcrumbItem.extend(item).create()); + items.reverse(); + items.slice(1).forEach(item => item.label = Ember.Handlebars.Utils.escapeExpression(item.label)); + items = items.map(item => App.BreadcrumbItem.extend(item).create()); if (items.length) { items.get('lastObject').setProperties({ disabled: true, --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@ambari.apache.org For additional commands, e-mail: commits-h...@ambari.apache.org