Merge pull request #4849 from Countly/event-xss

kanwarujjaval · web-flow · commit 4170a7fa5cc7 · 2024-01-24T12:59:58.000+05:30
[SER-1080] Replace v-html in event templates
diff --git a/frontend/express/public/core/events/templates/allEvents.html b/frontend/express/public/core/events/templates/allEvents.html
@@ -39,8 +39,8 @@
 		  <div class="cly-vue-events-all" v-else>
 			{{decode(groupData.name)}}<span class="cly-vue-events-group bu-ml-4">{{i18n('events.all.group')}}</span>
 		  </div>
-		  <div  class="cly-vue-events-all__subheading bu-pt-3" v-if="groupData.isGroup && groupData.description" v-html="groupData.description"></div>
-		  <div  class="cly-vue-events-all__subheading bu-pt-3" v-if="!groupData.isGroup && eventDescription" v-html="eventDescription"></div>
+          <div  class="cly-vue-events-all__subheading bu-pt-3" v-if="groupData.isGroup && groupData.description" >{{unescapeHtml(groupData.description)}}</div>
+          <div  class="cly-vue-events-all__subheading bu-pt-3" v-if="!groupData.isGroup && eventDescription" >{{unescapeHtml(eventDescription)}}</div>
 		  <div class="bu-is-flex cly-vue-events-all--padding">
 			<div class="bu-is-align-items-center bu-is-flex" v-if="hasSegments">
 			  <span class="bu-is-flex cly-vue-events-all-placeholder-text bu-pr-2">{{i18n('events.all.segmentation')}}</span>
@@ -69,7 +69,7 @@
 			  <cly-date-picker-g class="cly-vue-events-all-date-picker"></cly-date-picker-g>
 			</div>
 		  </div>
-		  <div  class="color-cool-gray-100 font-weight-normal text-medium bu-pt-4" v-if="segmentDescription!=''" v-html="segmentDescription"></div>
+          <div  class="color-cool-gray-100 font-weight-normal text-medium bu-pt-4" v-if="segmentDescription!=''" >{{unescapeHtml(segmentDescription)}}</div>
 		  <cly-section class="bu-mt-5 bu-mr-5">
 			<cly-chart-bar v-if="currentActiveSegmentation !== 'segment'" :option="barData" :legend="lineLegend" :force-loading="isChartLoading" v-loading="isChartLoading">	
 			</cly-chart-bar>
diff --git a/plugins/data-manager/frontend/public/javascripts/countly.views.js b/plugins/data-manager/frontend/public/javascripts/countly.views.js
@@ -321,7 +321,8 @@
         template: CV.T('/data-manager/templates/event-group-detail.html'),
         mixins: [
             countlyVue.mixins.hasDrawers(["eventgroup"]),
-            countlyVue.mixins.auth(FEATURE_NAME)
+            countlyVue.mixins.auth(FEATURE_NAME),
+            countlyVue.mixins.commonFormatters,
         ],
         components: {
             'event-group-drawer': EventGroupDrawer,
@@ -386,7 +387,8 @@
     var EventsDefaultTabView = countlyVue.views.create({
         template: CV.T('/data-manager/templates/events-default.html'),
         mixins: [
-            countlyVue.mixins.auth(FEATURE_NAME)
+            countlyVue.mixins.auth(FEATURE_NAME),
+            countlyVue.mixins.commonFormatters,
         ],
         components: {
             'data-manager-manage-category': ManageCategory
@@ -783,7 +785,8 @@
     var EventsGroupsTabView = countlyVue.views.create({
         template: CV.T('/data-manager/templates/event-groups.html'),
         mixins: [
-            countlyVue.mixins.auth(FEATURE_NAME)
+            countlyVue.mixins.auth(FEATURE_NAME),
+            countlyVue.mixins.commonFormatters,
         ],
         data: function() {
             return {
@@ -1169,7 +1172,8 @@
             countlyVue.container.mixins(["/manage/data-manager"]),
             countlyVue.container.tabsMixin({
                 "externalTabs": "/manage/data-manager"
-            })
+            }),
+            countlyVue.mixins.commonFormatters,
         ],
         data: function() {
             var localTabs = [];
@@ -1198,7 +1202,8 @@
         template: CV.T('/data-manager/templates/event-detail.html'),
         mixins: [
             countlyVue.mixins.hasDrawers(["events", "segments"]),
-            countlyVue.mixins.auth(FEATURE_NAME)
+            countlyVue.mixins.auth(FEATURE_NAME),
+            countlyVue.mixins.commonFormatters,
         ],
         components: {
             'events-drawer': EventsDrawer,
diff --git a/plugins/data-manager/frontend/public/templates/event-detail.html b/plugins/data-manager/frontend/public/templates/event-detail.html
@@ -7,7 +7,7 @@
                 <cly-back-link link="/manage/data-manager/events/events" title="Back to Manage Events"></cly-back-link>
                 <div class="bu-mt-4">
                     <div class="bu-is-flex bu-is-align-items-center">
-                        <h3 class="bu-is-capitalized bu-mr-2">{{event.name || event.key}}</h3>
+                        <h3 class="bu-is-capitalized bu-mr-2">{{unescapeHtml(event.name || event.key)}}</h3>
                         <cly-guide></cly-guide>
                     </div>
                     <div class="bu-mt-4 bu-mr-2">
@@ -65,22 +65,22 @@ <h3 class="bu-is-capitalized bu-mr-2">{{event.name || event.key}}</h3>
                             <tr>
                                 <td><span>{{i18n('data-manager.events.key')}}</span>
                                 </td>
-                                <td v-html="event.key"></td>
+                                <td>{{unescapeHtml(event.key)}}</td>
                             </tr>
                             <tr>
                                 <td><span>{{i18n('data-manager.event-name')}}</span>
                                 </td>
-                                <td v-html="event.name"></td>
+                                <td>{{unescapeHtml(event.name)}}</td>
                             </tr>
                             <tr>
                                 <td><span>{{i18n('data-manager.description')}}</span>
                                 </td>
-                                <td v-html="event.description || '-' "></td>
+                                <td>{{unescapeHtml(event.description || '-')}}</td>
                             </tr>
                             <tr>
                                 <td><span>{{i18n('data-manager.category')}}</span>
                                 </td>
-                                <td v-html="categoriesMap[event.category] || i18n('data-manager.uncategorized')"></td>
+                                <td>{{unescapeHtml(categoriesMap[event.category] || i18n('data-manager.uncategorized'))}}</td>
                             </tr>
                             <tr>
                                 <td><span>{{i18n('data-manager.first-triggered')}}</span>
@@ -109,12 +109,12 @@ <h4>{{i18n('data-manager.event-segmentation')}}</h4>
             <template v-slot="scope">
                 <el-table-column :label="i18n('data-manager.segment-name')" sortable="custom" prop="name">
                     <template v-slot="rowScope">
-                        <div v-html="rowScope.row.name"></div>
+                        <div>{{unescapeHtml(rowScope.row.name)}}</div>
                     </template>
                 </el-table-column>
                 <el-table-column :label="i18n('data-manager.description')">
                     <template v-slot="rowScope">
-                        <div v-html="rowScope.row.description"></div>
+                        <div>{{unescapeHtml(rowScope.row.description)}}</div>
                     </template>
                 </el-table-column>
                 <el-table-column :label="i18n('data-manager.status')" sortable="custom" prop="status">
diff --git a/plugins/data-manager/frontend/public/templates/event-group-detail.html b/plugins/data-manager/frontend/public/templates/event-group-detail.html
@@ -6,7 +6,7 @@
             <div>
                 <cly-back-link link="/manage/data-manager/events/event-groups" title="Back to Manage Event Groups"></cly-back-link>
                 <div class="bu-mt-4 bu-is-flex bu-is-align-items-center">
-                    <h3 class="bu-is-capitalized bu-mr-2" v-html="eventGroup.name"></h3>
+                    <h3 class="bu-is-capitalized bu-mr-2">{{unescapeHtml(eventGroup.name)}}</h3>
                     <cly-guide></cly-guide>
                 </div>
                 <div class="bu-mt-4 bu-mr-2">
@@ -41,14 +41,14 @@ <h3 class="bu-is-capitalized bu-mr-2" v-html="eventGroup.name"></h3>
                                 <tr>
                                     <td><span>{{ i18n('data-manager.description') }}</span>
                                     </td>
-                                    <td v-html="eventGroup.description"></td>
+                                    <td>{{unescapeHtml(eventGroup.description)}}</td>
                                 </tr>
                                 <tr>
                                     <td>
                                         <span>{{ i18n('data-manager.included-events') }}</span>
                                     </td>
                                     <td>
-                                        <div class="bu-mb-2" v-for="e in eventGroup.source_events"><div v-html="e"></div></div>
+                                        <div class="bu-mb-2" v-for="e in eventGroup.source_events"><div>{{unescapeHtml(e)}}</div></div>
                                     </td>
                                 </tr>
                             </tbody>
@@ -72,7 +72,7 @@ <h3 class="bu-is-capitalized bu-mr-2" v-html="eventGroup.name"></h3>
             {{ i18n('data-manager.delete-event-group-permanently') }}<br/> 
             <small class="color-red-100"> {{i18n('data-manager.delete-event-warning')}} </small>
             <ul>
-             <li v-if="deleteElement"><div v-html="deleteElement.name"></div></li>
+                <li v-if="deleteElement"><div>{{unescapeHtml(deleteElement.name)}}</div></li>
             </ul>
         </template>
     </cly-confirm-dialog>
diff --git a/plugins/data-manager/frontend/public/templates/event-groups.html b/plugins/data-manager/frontend/public/templates/event-groups.html
@@ -24,7 +24,8 @@
 
             <el-table-column fixed="left" sortable="custom" prop="name" :label="i18n('data-manager.event-group-name')" min-width="330px">
                 <template v-slot="rowScope">
-                    <a v-bind:href="'#/manage/data-manager/events/event-groups/' + rowScope.row._id" @click="onRowClick(rowScope.row)" class="cly-vue-data-manager__clickable bu-is-clickable color-dark-blue-100" v-html="rowScope.row.name">
+                    <a v-bind:href="'#/manage/data-manager/events/event-groups/' + rowScope.row._id" @click="onRowClick(rowScope.row)" class="cly-vue-data-manager__clickable bu-is-clickable color-dark-blue-100">
+                        {{unescapeHtml(rowScope.row.name)}}
                     </a>
                     <div class="text-small color-cool-gray-50" v-if="rowScope.row.source_events">{{rowScope.row.source_events.length || 0}} Events</div>
                     <span v-if="rowScope.row.status === false" class="cly-vue-data-manager__hidden-icon"><i class="ion-eye-disabled"></i></span>
@@ -34,7 +35,7 @@
 
             <el-table-column sortable="custom"  prop="description" :label="i18n('data-manager.event-group-description')" min-width="330px">
                 <template v-slot="rowScope">
-                    <div v-html="rowScope.row.description || i18n('data-manager.empty-placeholder')"></div>
+                    <div>{{unescapeHtml(rowScope.row.description || i18n('data-manager.empty-placeholder'))}}</div>
                 </template>
             </el-table-column>
 
diff --git a/plugins/data-manager/frontend/public/templates/events-default.html b/plugins/data-manager/frontend/public/templates/events-default.html
@@ -39,7 +39,7 @@
                     <template v-slot="rowScope">
                         <!-- <div @click="onRowClick(rowScope.row)" class="cly-vue-data-manager__clickable bu-is-clickable color-dark-blue-100">{{rowScope.row.name || rowScope.row.key || rowScope.row.e}}</div> -->
                         <a v-bind:href="'#/manage/data-manager/events/events/' + rowScope.row.key" @click="onRowClick(rowScope.row)" class="cly-vue-data-manager__clickable bu-is-clickable color-dark-blue-100">
-                            <div v-html="rowScope.row.name || rowScope.row.key || rowScope.row.e"></div>
+                            <div>{{unescapeHtml(rowScope.row.name || rowScope.row.key || rowScope.row.e)}}</div>
                         </a>
                         <div v-if="rowScope.row.audit && rowScope.row.audit.userName" class="text-small color-cool-gray-50">Last modified by {{rowScope.row.audit.userName}}</div>
                         <div>
@@ -75,7 +75,7 @@
                     <el-table-column v-if="col.value === 'category'"
                         min-width="250" sortable="custom" prop="categoryName" :label="i18n('data-manager.category')">
                         <template v-slot="rowScope">
-                            <div v-html="rowScope.row.categoryName"></div>
+                            <div>{{unescapeHtml(rowScope.row.categoryName)}}</div>
                         </template>
                     </el-table-column>
 
@@ -111,13 +111,13 @@
 
                     <el-table-column v-else-if="col.value === 'description' " sortable="custom" min-width="250" prop="description" :label="i18n('data-manager.description')">
                         <template v-slot="rowScope">
-                                <div v-html="rowScope.row.description || i18n('data-manager.empty-placeholder')"></div>
+                            <div>{{unescapeHtml(rowScope.row.description || i18n('data-manager.empty-placeholder'))}}</div>
                         </template>
                     </el-table-column>
 
                     <el-table-column v-else v-bind:sortable="col.sort ? 'custom' : false" :key="idx" min-width="300" :prop="col.value" :label="col.label">
                         <template v-slot="rowScope">
-                            <div v-html="rowScope.row[col.value] || i18n('data-manager.empty-placeholder')"></div>
+                            <div>{{unescapeHtml(rowScope.row[col.value] || i18n('data-manager.empty-placeholder'))}}</div>
                         </template>
                     </el-table-column>
                 </template>  
diff --git a/plugins/data-manager/frontend/public/templates/manage-category-components.html b/plugins/data-manager/frontend/public/templates/manage-category-components.html
@@ -2,7 +2,7 @@
     <div class="cly-vue-data-manager__mci bg-white">
         <div class="cly-vue-data-manager__mci--block bu-is-flex bu-is-justify-content-space-between bu-is-align-items-center bu-px-4"
             v-if="!editing">
-            <div class="text-medium" v-html="category.name"></div>
+            <div class="text-medium">{{unescapeHtml(category.name)}}</div>
             <div class="bu-is-flex">
                 <div @click="removeCategory" class="bu-mr-3"><i class="el-icon-delete color-cool-gray-50 bu-is-clickable"></i></div>
                 <div @click="editCategory"><i class="el-icon-edit color-cool-gray-50 bu-is-clickable"></i></div>
