Commit d93d184b authored by Dave Cridland's avatar Dave Cridland

Merge pull request #266 from surevine/dwd/xss-master

Address XSS issues in admin console and monitoring plugin (master)
parents ea7fdc80 7cd64c85
......@@ -5,7 +5,7 @@
<name>Monitoring Service</name>
<description>Monitors conversations and statistics of the server.</description>
<author>Jive Software</author>
<version>1.4.4</version>
<version>1.4.5</version>
<date>10/28/2014</date>
<minServerVersion>3.9.0</minServerVersion>
<databaseKey>monitoring</databaseKey>
......
......@@ -37,6 +37,7 @@ import org.jivesoftware.openfire.user.UserManager;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.LocaleUtils;
import org.jivesoftware.util.NotFoundException;
import org.jivesoftware.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xmpp.packet.JID;
......@@ -328,8 +329,9 @@ public class ConversationUtils {
if (conversation.getRoom() != null) {
from = message.getToJID().getResource();
}
from = StringUtils.escapeHTMLTags(from);
String cssLabel = cssLabels.get(message.getFromJID().toBareJID());
String body = message.getBody();
String body = StringUtils.escapeHTMLTags(message.getBody());
builder.append("<tr valign=top>");
if (!message.isRoomEvent()) {
builder.append("<td width=1% nowrap class=" + cssLabel + ">").append("[")
......
......@@ -7,6 +7,7 @@
<%@ page import="org.jivesoftware.util.Log" %>
<%@ page import="org.jivesoftware.util.NotFoundException" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.xmpp.packet.JID" %>
<%@ page import="java.util.*" %>
......@@ -179,14 +180,14 @@
%>
<tr>
<td><%=nickname%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
<td><%=StringUtils.escapeHTMLTags(nickname)%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
<% if (it.hasNext()) {
participation = it.next();
nickname = participation[0];
participant = new JID(participation[1]);
%>
<td><%=nickname%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
<td><%=StringUtils.escapeHTMLTags(nickname)%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
<% } else { %>
<td>&nbsp;</td>
<% } %>
......
......@@ -514,14 +514,14 @@
</tr>
<tr>
<td>
<input type="text" size="22" name="participant1" value="<%= participant1 != null ? participant1 :
<input type="text" size="22" name="participant1" value="<%= participant1 != null ? StringUtils.escapeForXML(participant1) :
LocaleUtils.getLocalizedString("archive.search.participants.any", "monitoring") %>" class="textfield"/>
</td>
</tr>
<tr>
<td>
<input type="text" size="22" name="participant2" value="<%= participant2 != null ? participant2 : anyText %>" class="textfield"/>
<input type="text" size="22" name="participant2" value="<%= participant2 != null ? StringUtils.escapeForXML(participant2) : anyText %>" class="textfield"/>
</td>
</tr>
......@@ -546,7 +546,7 @@
<td><fmt:message key="archive.search.daterange.start" /></td>
<td>
<input type="text" id="startDate" name="startDate" size="13"
value="<%= startDate != null ? startDate :
value="<%= startDate != null ? StringUtils.escapeForXML(startDate) :
LocaleUtils.getLocalizedString("archive.search.daterange.any", "monitoring")%>" class="textfield"/><br/>
<span class="jive-description"><fmt:message key="archive.search.daterange.format" /></span>
</td>
......@@ -558,7 +558,7 @@
<td><fmt:message key="archive.search.daterange.end" /></td>
<td>
<input type="text" id="endDate" name="endDate" size="13"
value="<%= endDate != null ? endDate :
value="<%= endDate != null ? StringUtils.escapeForXML(endDate) :
LocaleUtils.getLocalizedString("archive.search.daterange.any", "monitoring") %>" class="textfield"/><br/>
<span class="jive-description"><fmt:message key="archive.search.daterange.format" /></span>
</td>
......@@ -586,7 +586,7 @@
<tr>
<td>
<% if(isArchiveEnabled){%>
<input type="text" name="keywords" size="35" class="keyword-field" value="<%= query != null ? query : ""%>"/>
<input type="text" name="keywords" size="35" class="keyword-field" value="<%= query != null ? StringUtils.escapeForXML(query) : ""%>"/>
<% } else { %>
<fmt:message key="archive.search.keywords.disabled">
<fmt:param value="<a href='archiving-settings.jsp'>" />
......
......@@ -131,7 +131,7 @@ function updateConversations(data) {
<!-- <a href="#" onclick="conversationUpdater(); return false;">click me</a> -->
<p>
<fmt:message key="archive.conversations" />
<span id="activeConversations"><%= conversationManager.getConversationCount() %></span
<span id="activeConversations"><%= conversationManager.getConversationCount() %></span>
</p>
<%
......@@ -169,9 +169,9 @@ function updateConversations(data) {
<% if (conversation.getRoom() == null) { %>
<% for (JID jid : participants) { %>
<% if (server.isLocal(jid) && userManager.isRegisteredUser(jid.getNode())) { %>
<a href="/user-properties.jsp?username=<%= jid.getNode() %>"><%= jid %></a><br />
<a title='User Link' href="/user-properties.jsp?username=<%= jid.getNode() %>"><%= StringUtils.escapeHTMLTags(jid.toBareJID()) %></a><br />
<% } else { %>
<%= jid.toBareJID() %><br/>
<%= StringUtils.escapeHTMLTags(jid.toBareJID()) %><br/>
<% } %>
<% } %>
<% } else { %>
......
......@@ -8,6 +8,13 @@
<display-name>Openfire</display-name>
<!-- OF-902 use HttpOnly for session cookie -->
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
<!-- prevent URL rewritting with jsessionid included, OF-669 -->
<context-param>
<param-name>org.eclipse.jetty.servlet.SessionIdPathParameterName</param-name>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment