From 999f5e1e7467fc688f00515e14ff247cdeb730d3 Mon Sep 17 00:00:00 2001 From: Roy Date: Wed, 27 Mar 2024 13:38:58 +0100 Subject: [PATCH 1/2] Help prevent XSS attacks through access to database "displayName" column. --- DNN Platform/Modules/Journal/Scripts/mentionsInput.js | 2 +- .../admin/personaBar/scripts/permissionGrid.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/DNN Platform/Modules/Journal/Scripts/mentionsInput.js b/DNN Platform/Modules/Journal/Scripts/mentionsInput.js index 6672d9694f..064588c833 100644 --- a/DNN Platform/Modules/Journal/Scripts/mentionsInput.js +++ b/DNN Platform/Modules/Journal/Scripts/mentionsInput.js @@ -162,7 +162,7 @@ $this.data('ui-autocomplete')._renderItem = function(ul, item) { return $('
  • ') .data('ui-autocomplete-item', item) - .append('' + item.displayName + '') + .append('' + $('').text(dnn.decodeHTML(item.displayName)) + '') .appendTo(ul); }; diff --git a/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js b/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js index cca1593c04..e096a53944 100644 --- a/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js +++ b/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js @@ -109,7 +109,7 @@ if (typeof dnn.controls === "undefined" || dnn.controls === null) { dnn.controls var cols = header.find('>td:not(:first-child)'); var row = $(''); row.data('key', type == "users" ? data.userId : data.roleId); - row.append('' + (type == "users" ? data.displayName : data.roleName) + ""); + row.append($('').text(dnn.decodeHTML(type == "users" ? data.displayName : data.roleName))); for (var i = 0; i < cols.length; i++) { var headerCol = cols.eq(i); var permissionId = headerCol.data('permissionId'); -- 2.32.0