tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SshResourceForm: fix XSS by escaping user-defined resource name 

in the tooltip of the message shown instead of the private key.
This commit is contained in:
Alexander A. Klimov 2022-11-22 13:43:34 +01:00 committed by Johannes Meyer
parent bdb9fd299b
commit a3100d378b
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
application/forms/Config/Resource/SshResourceForm.php
View File

@ -87,9 +87,9 @@ class SshResourceForm extends Form
'value' => sprintf( 'value' => sprintf(
'<a href="%1$s" data-base-target="_next" title="%2$s" aria-label="%2$s">%3$s</a>', '<a href="%1$s" data-base-target="_next" title="%2$s" aria-label="%2$s">%3$s</a>',
$this->getView()->url('config/removeresource', array('resource' => $resourceName)), $this->getView()->url('config/removeresource', array('resource' => $resourceName)),
sprintf($this->translate( $this->getView()->escape(sprintf($this->translate(
'Remove the %s resource' 'Remove the %s resource'
), $resourceName), ), $resourceName)),
$this->translate('To modify the private key you must recreate this resource.') $this->translate('To modify the private key you must recreate this resource.')
) )
) )