Merge pull request #4838 from pnrgenc/SER-1081

Cookiezaurs · web-flow · commit 97cd7cfd4c4a · 2024-01-12T14:12:20.000+02:00
[SER-1081] Stored XSS on dashboard name
diff --git a/plugins/dashboards/frontend/public/javascripts/countly.views.js b/plugins/dashboards/frontend/public/javascripts/countly.views.js
@@ -1644,7 +1644,7 @@
 
     var DashboardsMenu = countlyVue.views.create({
         template: CV.T('/dashboards/templates/dashboards-menu.html'),
-        mixins: [countlyVue.mixins.hasDrawers("dashboards"), DashboardMixin],
+        mixins: [countlyVue.mixins.hasDrawers("dashboards"), DashboardMixin, countlyVue.mixins.commonFormatters],
         components: {
             "dashboards-drawer": DashboardDrawer
         },
diff --git a/plugins/dashboards/frontend/public/templates/dashboards-menu.html b/plugins/dashboards/frontend/public/templates/dashboards-menu.html
@@ -27,7 +27,7 @@
                             :class="['cly-vue-sidebar__menu-items has-ellipsis',
                             {'cly-vue-sidebar__menu-items--selected': selectedDashboard._id === dashboard._id}]"
                             @click="onDashboardMenuItemClick(dashboard)">
-                            <span v-html="dashboard.name"></span>
+                            <span>{{unescapeHtml(dashboard.name)}}</span>
                         </div>
                     </a>
                 </li>
diff --git a/plugins/dashboards/frontend/public/templates/helpers/widget/primary-legend.html b/plugins/dashboards/frontend/public/templates/helpers/widget/primary-legend.html
@@ -1,7 +1,7 @@
 <div class="bu-is-flex bu-is-align-items-center bu-my-2">
     <div class="clyd-legend-app bu-is-flex-shrink-1" v-if="customText" style="min-width: 0;">
         <div class="bu-is-flex">
-            <span class="bu-ml-1 text-small has-ellipsis bu-is-flex-shrink-1" v-html="customText"></span>
+            <span class="bu-ml-1 text-small has-ellipsis bu-is-flex-shrink-1">{{unescapeHtml(customText)}}</span>
         </div>
     </div>
 
diff --git a/plugins/dashboards/frontend/public/templates/helpers/widget/secondary-legend.html b/plugins/dashboards/frontend/public/templates/helpers/widget/secondary-legend.html
@@ -4,7 +4,7 @@
         <div v-if="item.labels && item.labels.length" class="bu-is-flex bu-is-align-items-center bu-is-flex-shrink-1 bu-is-flex-grow-1" style="min-width: 0">
             <div v-for="(label, i) in item.labels" :class="['bu-is-flex bu-is-align-items-center bu-is-flex-shrink-1 bu-px-2 bu-mr-1']" :style="{backgroundColor: label.color + '26', borderRadius: '4px', minWidth: 0}">
                 <i class="fas fa-circle bu-mr-2" :style="{fontSize: '6px', color: label.color}"></i>
-                <span class="text-small has-ellipsis bu-is-flex-shrink-1" v-html="label.label"></span>
+                <span class="text-small has-ellipsis bu-is-flex-shrink-1">{{unescapeHtml(label.label)}}</span>
             </div>
         </div>
     </div>
diff --git a/plugins/dashboards/frontend/public/templates/helpers/widget/title.html b/plugins/dashboards/frontend/public/templates/helpers/widget/title.html
@@ -1,4 +1,4 @@
 <div class="bu-is-flex bu-is-flex-shrink-1" style="min-width: 0">
-    <h4 class="bu-is-flex-shrink-1 has-ellipsis" v-if="title" v-html="title"></h4>
+    <h4 class="bu-is-flex-shrink-1 has-ellipsis" v-if="title">{{unescapeHtml(title)}}</h4>
     <clyd-title-labels v-if="labels && labels.length" :labels="labels"></clyd-title-labels>
 </div>
