From 62672b2159a9c6f1b001cb8f5abaa604bedfa0ad Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Thu, 28 Jul 2011 13:29:38 +0000
Subject: [PATCH] Issue 384: added escape_for_html function to escape PoC data
 before rendering in ExtJs UI

git-svn-id: https://beef.googlecode.com/svn/trunk@1125 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 extensions/admin_ui/controllers/xssrays/xssrays.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/extensions/admin_ui/controllers/xssrays/xssrays.rb b/extensions/admin_ui/controllers/xssrays/xssrays.rb
index 6ca9e6d34..ef9a7a5b6 100644
--- a/extensions/admin_ui/controllers/xssrays/xssrays.rb
+++ b/extensions/admin_ui/controllers/xssrays/xssrays.rb
@@ -55,13 +55,22 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
         'id'      => log.id,
         'vector_method'  => log.vector_method,
         'vector_name'    => log.vector_name,
-        'vector_poc' => log.vector_poc
+        'vector_poc' => escape_for_html(log.vector_poc)
       }
     }
 
     @body = {'success' => 'true', 'logs' => logs}.to_json
   end
 
+  def escape_for_html(str)
+        str.gsub!(/</, '&lt;')
+        str.gsub!(/>/, '&gt;')
+        str.gsub!(/\u0022/, '&quot;')
+        str.gsub!(/\u0027/, '&#39;')
+        str.gsub!(/\\/, '&#92;')
+    str
+  end
+
    # called by the UI. needed to pass the hooked browser ID/session and store a new scan in the DB
    def set_scan_target
     hooked_browser = HB.first(:session => @params['hb_id'].to_s)