Backport of [ui] Simple url sanitization for get-env and document.coo…

…kie into release/1.19.x (#21721) backport of commit 9fb851d Co-authored-by: Phil Renaud <[email protected]>
hashicorp · Sep 13, 2024 · 39c00d3 · 39c00d3
1 parent c0c9b5b
commit 39c00d3
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/.changelog/21711.txt b/.changelog/21711.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI.
+```
diff --git a/ui/packages/consul-ui/app/utils/get-environment.js b/ui/packages/consul-ui/app/utils/get-environment.js
@@ -4,6 +4,19 @@
  */
 
 import { runInDebug } from '@ember/debug';
+import { htmlSafe } from '@ember/template';
+
+function sanitizeString(str) {
+  return htmlSafe(
+    String(str)
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;')
+  );
+}
+
 // 'environment' getter
 // there are currently 3 levels of environment variables:
 // 1. Those that can be set by the user by setting localStorage values
@@ -58,9 +71,16 @@ export default function (config = {}, win = window, doc = document) {
       } else {
         str = cookies(doc.cookie).join(';');
         const tab = win.open('', '_blank');
-        tab.document.write(
-          `<body><pre>${location.href}#${str}</pre><br /><a href="javascript:Scenario('${str}')">Scenario</a></body>`
-        );
+        if (tab) {
+          const safeLocationHref = sanitizeString(location.href);
+          const safeStr = sanitizeString(str);
+          tab.document.write(`
+            <body>
+              <pre>${safeLocationHref}#${safeStr}</pre><br />
+              <a href="#" onclick="window.opener.Scenario('${safeStr}');window.close();return false;">Scenario</a>
+            </body>
+          `);
+        }
       }
     };