From 503e584d979e5f39ecdbb52f8806e83048859b7d Mon Sep 17 00:00:00 2001 From: zinduolis Date: Mon, 19 Jan 2026 17:16:05 +1000 Subject: [PATCH] sanitise inputs for hooked browsers --- .../javascript/ui/panel/zombiesTreeList.js | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js index e9c1c2ace..3d81e42e4 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js +++ b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js @@ -467,24 +467,26 @@ try{ } // set zombie hover balloon text for tree node + // Use Ext.util.Format.htmlEncode() to prevent XSS via malicious browser properties + var encode = Ext.util.Format.htmlEncode; var balloon_text = ""; - balloon_text += hooked_browser.ip; + balloon_text += encode(hooked_browser.ip); balloon_text += "
" balloon_text += " "; - balloon_text += "Origin: " + hooked_browser.domain + ":" + hooked_browser.port; + balloon_text += "Origin: " + encode(hooked_browser.domain) + ":" + encode(hooked_browser.port); balloon_text += "
"; balloon_text += " "; - balloon_text += "Browser: " + hooked_browser.browser_name + " " + hooked_browser.browser_version; + balloon_text += "Browser: " + encode(hooked_browser.browser_name) + " " + encode(hooked_browser.browser_version); balloon_text += "
"; balloon_text += " "; if (hooked_browser.os_version == 'Unknown') { - balloon_text += "OS: " + hooked_browser.os_name; + balloon_text += "OS: " + encode(hooked_browser.os_name); } else { - balloon_text += "OS: " + hooked_browser.os_name + ' ' + hooked_browser.os_version; + balloon_text += "OS: " + encode(hooked_browser.os_name) + ' ' + encode(hooked_browser.os_version); } balloon_text += "
"; balloon_text += " "; - balloon_text += "Hardware: " + hooked_browser.hw_name; + balloon_text += "Hardware: " + encode(hooked_browser.hw_name); balloon_text += "
"; if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) { @@ -492,11 +494,11 @@ try{ balloon_text += "Location: Unknown"; } else { balloon_text += " "; - balloon_text += "Location: " + hooked_browser.city + ", " + hooked_browser.country; + balloon_text += "Location: " + encode(hooked_browser.city) + ", " + encode(hooked_browser.country); } balloon_text += "
"; - balloon_text += "Local Date: " + hooked_browser.date; + balloon_text += "Local Date: " + encode(hooked_browser.date); hooked_browser.qtip = balloon_text; // set zombie text label for tree node @@ -511,7 +513,7 @@ try{ text += " "; } - text += hooked_browser.ip; + text += encode(hooked_browser.ip); hooked_browser.text = text; //save a new online HB