Prevent XSS for REST API by escape String content #2985
Comments
Limraj
added a commit
that referenced
this issue
Aug 15, 2024
- added serializer: XssStringSerializer; - defined ObjectMapper in xml config(springDispatcher-servlet.xml) and ApplicationBeans.getObjectMapper then use this method when new ObjectMapper; - corrected websocket url in index.js, websocketStore.js, dataPointEdit.jsp; - corrected visible escape text content in EventList.vue; - fixed HttpSenderRT for POST with JSON; - fixed: AuthenticationAPI, ConfigAPI, EventDetectorAPI, EventHandlerAPI, PointPropertiesAPI, PointValueAPI, SystemSettingsAPI, UtilsAPI, ViewAPI, ViewComponentAPI, ViewHierarchyAPI, PointHierarchyController, DataPointsBaseOnNameFilter;
Limraj
added a commit
that referenced
this issue
Aug 17, 2024
- fixed cssEditor in systemSettings.jsp - replace \n\r to 
 in XssCssStyleSerializer/XssStringSerializer, use innerHTML, added function updateCodeTextEscaped in highlight.jsp, created class XssUtils; - refactoring method: FileUtil.compactFiles; - added methods: DataPointApiService.getDataPointByXid, DataPointApiService.getDataPointByXid, EmportDwr.exportDataPointBy; - deprecated methods/class: DataPointApiService.getConfigurationByXid, EmportDwr.exportJSON, TranslateAPI; - Refactoring API, change return type from String to Map: CustomCssAPI, DataPointAPI, MailingListAPI, ScriptsAPI, SystemSettingsAPI, ViewAPI, AmChartValuesAPI, SynopticPanelAPI, ChangeDataAPI, GetHistoryChangesAPI, ReadDataBaseXIdAPI; - removed unused and deprecated class EventsServiceWebSocket; - corrected translation 'Event Pending Limit' and 'Enabled Event Pending Cache'; - upgrade Jackson lib from 2.8.2 to 2.17.2: jackson-annotations-2.17.2.jar, jackson-core-2.17.2.jar, jackson-databind-2.17.2.jar;
Limraj
added a commit
that referenced
this issue
Aug 20, 2024
- fixed Synoptic Panel; (XssSynopticPanelSerializer) - added validate svg from Synoptic Panel; - fixed double websocket initialization; - added method ValidationUtils.validSvg;
Limraj
added a commit
that referenced
this issue
Aug 26, 2024
- renamed XssCssStyleSerializer to XssProtectCssStyleSerializer, XssStringSerializer to XssProtectStringSerializer, XssSynopticPanelSerializer to XssProtectSynopticPanelSerializer, XssUtils to XssProtectHtmlEscapeUtils; - moved XssProtectCssStyleSerializer, XssProtectStringSerializer, XssProtectSynopticPanelSerializer, XssProtectSynopticPanelSerializer, XssProtectHtmlEscapeUtils to org.scada_lts.web.security package; - added test XssProtectHtmlEscapeUtilsTest; - removed XssSynopticPanelSerializer; - added function unescapeHtml in: \Scada-LTS\WebContent\resources\common.js \Scada-LTS\scadalts-ui\src\utils\common.js - corrected unescape content comment on new ui;
Limraj
added a commit
that referenced
this issue
Aug 26, 2024
- revert websocket url: index.js, websocketStore.js;
Limraj
added a commit
that referenced
this issue
Aug 30, 2024
- fixed added comment event and point type;
Limraj
added a commit
that referenced
this issue
Sep 2, 2024
- fixed save Synoptic Panel; - corrected gradle task: buildRun, buildRunDebug;
Limraj
added a commit
that referenced
this issue
Sep 2, 2024
…T_API_by_escape_String_content #2985 Prevent XSS for REST API by escape String content:
Limraj
added a commit
that referenced
this issue
Sep 10, 2024
- corrected visible name/xid/description on Lists Data Source/Data Point; - corrected visible reports/instances;
Limraj
added a commit
that referenced
this issue
Nov 21, 2024
- Fixed Report in new ui - added email address, report name, cron; - Fixed list data points and data sources, create/update data point and data source in new UI; - Fixed datapoint details in new UI;
Limraj
added a commit
that referenced
this issue
Nov 21, 2024
- Corrected rules in VirtualDataSource/point.vue; - removed not used imports - DataPointCreation.vue, ReportsForm.vue
Limraj
added a commit
that referenced
this issue
Nov 25, 2024
- Fixed create Data Source in new UI; - Fixed update Meta Data Point in new UI;
Limraj
added a commit
that referenced
this issue
Nov 25, 2024
- Using class XssProtectUtils (use Spring) instead of Security class from dwr; _ Rename classes: XssProtectHtmlUtils to XssProtectUtils, XssUtils to XssValidatorUtils; - Changed private on public no args constructor for class XssProtectUtils; - Added Data Point information to console log in ScriptExecutor.convertContext;
Limraj
added a commit
that referenced
this issue
Nov 27, 2024
- Removed unuse import in PointProperties\index.vue; - Added @XssProtect annotation to fields deviceName, datasourceName, dataSourceXid in DataPointJson, to fields oid, binary0Value in SnmpPointLocatorJson, to fields updateCronPattern in MetaPointLocatorJson, to fields charset in ModbusIpPointLocatorJson;
Limraj
added a commit
that referenced
this issue
Nov 27, 2024
…T_API_by_escape_String_content2 #2985 Prevent XSS for REST API by escape String content:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Adding a Serializer for ObjectMapper that will be associated with the String type, which escapes the contents of String fields by serializing Java Objects into JSON, passed to the Frontend.
Improved new ui pages:
In the new UI, it is not possible to enter text containing scripts. If it was already introduced, set on the old ui, then this script should be escaped on the new ui;
The text was updated successfully, but these errors were encountered: