Close XSS issues in Monitoring plugin

A number of stored XSS issues were found by Dean Hardcastle during testing of the monitoring plugin's admin console. These include cases where chatroom nicknames and message text are not adequately escaped.

Close XSS issues in Monitoring plugin
A number of stored XSS issues were found by Dean Hardcastle during testing of the monitoring plugin's admin console. These include cases where chatroom nicknames and message text are not adequately escaped.
2abbd440 · Dave Cridland · 76e2af85 · 2abbd440 · 2abbd440 · 2abbd440
Commit 2abbd440 authored Jul 17, 2015 by Dave Cridland
5 changed files
--- a/src/plugins/monitoring/plugin.xml
+++ b/src/plugins/monitoring/plugin.xml
@@ -5,7 +5,7 @@
    <name>Monitoring Service</name>
    <description>Monitors conversations and statistics of the server.</description>
    <author>Jive Software</author>
-    <version>1.4.4</version>
+    <version>1.4.5</version>
    <date>10/28/2014</date>
    <minServerVersion>3.9.0</minServerVersion>
    <databaseKey>monitoring</databaseKey>

--- a/src/plugins/monitoring/src/java/org/jivesoftware/openfire/archive/ConversationUtils.java
+++ b/src/plugins/monitoring/src/java/org/jivesoftware/openfire/archive/ConversationUtils.java
@@ -37,6 +37,7 @@ import org.jivesoftware.openfire.user.UserManager;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.LocaleUtils;
 import org.jivesoftware.util.NotFoundException;
+import org.jivesoftware.util.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xmpp.packet.JID;
@@ -328,8 +329,9 @@ public class ConversationUtils {
            if (conversation.getRoom() != null) {
                from = message.getToJID().getResource();
            }
+            from = StringUtils.escapeHTMLTags(from);
            String cssLabel = cssLabels.get(message.getFromJID().toBareJID());
-            String body = message.getBody();
+            String body = StringUtils.escapeHTMLTags(message.getBody());
            builder.append("<tr valign=top>");
            if (!message.isRoomEvent()) {
                builder.append("<td width=1% nowrap class=" + cssLabel + ">").append("[")

--- a/src/plugins/monitoring/src/web/archive-conversation-participants.jsp
+++ b/src/plugins/monitoring/src/web/archive-conversation-participants.jsp
@@ -7,6 +7,7 @@
 <%@ page import="org.jivesoftware.util.Log" %>
 <%@ page import="org.jivesoftware.util.NotFoundException" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="java.util.*" %>

@@ -179,14 +180,14 @@
            %>
            <tr>
                
-                <td><%=nickname%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
+                <td><%=StringUtils.escapeHTMLTags(nickname)%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>

                <% if (it.hasNext()) {
                    participation = it.next();
                    nickname = participation[0];
                    participant = new  JID(participation[1]);
                %>
-                <td><%=nickname%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
+                <td><%=StringUtils.escapeHTMLTags(nickname)%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
                <% } else { %>
                <td>&nbsp;</td>
                <% } %>

--- a/src/plugins/monitoring/src/web/archive-search.jsp
+++ b/src/plugins/monitoring/src/web/archive-search.jsp
@@ -514,14 +514,14 @@
        </tr>
        <tr>
            <td>
-                <input type="text" size="22" name="participant1" value="<%= participant1 != null ? participant1 :
+                <input type="text" size="22" name="participant1" value="<%= participant1 != null ? StringUtils.escapeForXML(participant1) :
                LocaleUtils.getLocalizedString("archive.search.participants.any", "monitoring") %>" class="textfield"/>
            </td>

        </tr>
        <tr>
            <td>
-                <input type="text" size="22" name="participant2" value="<%= participant2 != null ? participant2 : anyText %>" class="textfield"/>
+                <input type="text" size="22" name="participant2" value="<%= participant2 != null ? StringUtils.escapeForXML(participant2) : anyText %>" class="textfield"/>
            </td>

        </tr>
@@ -546,7 +546,7 @@
            <td><fmt:message key="archive.search.daterange.start" /></td>
            <td>
                <input type="text" id="startDate" name="startDate" size="13"
-                       value="<%= startDate != null ? startDate :
+                       value="<%= startDate != null ? StringUtils.escapeForXML(startDate) :
                       LocaleUtils.getLocalizedString("archive.search.daterange.any", "monitoring")%>" class="textfield"/><br/>
                <span class="jive-description"><fmt:message key="archive.search.daterange.format" /></span>
            </td>
@@ -558,7 +558,7 @@
            <td><fmt:message key="archive.search.daterange.end" /></td>
            <td>
                <input type="text" id="endDate" name="endDate" size="13"
-                       value="<%= endDate != null ? endDate :
+                       value="<%= endDate != null ? StringUtils.escapeForXML(endDate) :
                       LocaleUtils.getLocalizedString("archive.search.daterange.any", "monitoring") %>" class="textfield"/><br/>
                <span class="jive-description"><fmt:message key="archive.search.daterange.format" /></span>
            </td>
@@ -586,7 +586,7 @@
        <tr>
            <td>
                <% if(isArchiveEnabled){%>
-                <input type="text" name="keywords" size="35" class="keyword-field" value="<%= query != null ? query : ""%>"/>
+                <input type="text" name="keywords" size="35" class="keyword-field" value="<%= query != null ? StringUtils.escapeForXML(query) : ""%>"/>
                <% } else { %>
                    <fmt:message key="archive.search.keywords.disabled">
                        <fmt:param value="<a href='archiving-settings.jsp'>" />

--- a/src/plugins/monitoring/src/web/conversations.jsp
+++ b/src/plugins/monitoring/src/web/conversations.jsp
@@ -131,7 +131,7 @@ function updateConversations(data) {
 <!-- <a href="#" onclick="conversationUpdater(); return false;">click me</a> -->
 <p>
    <fmt:message key="archive.conversations" />
-    <span id="activeConversations"><%= conversationManager.getConversationCount() %></span
+    <span id="activeConversations"><%= conversationManager.getConversationCount() %></span>
 </p>

 <%
@@ -169,9 +169,9 @@ function updateConversations(data) {
            <% if (conversation.getRoom() == null) { %>
                <% for (JID jid : participants) { %>
                    <% if (server.isLocal(jid) && userManager.isRegisteredUser(jid.getNode())) { %>
-                        <a href="/user-properties.jsp?username=<%= jid.getNode() %>"><%= jid %></a><br />
+                        <a title='User Link' href="/user-properties.jsp?username=<%= jid.getNode() %>"><%= StringUtils.escapeHTMLTags(jid.toBareJID()) %></a><br />
                    <% } else { %>
-                        <%= jid.toBareJID() %><br/>
+                        <%= StringUtils.escapeHTMLTags(jid.toBareJID()) %><br/>
                    <% } %>
                <% } %>
            <% } else { %>