Merge pull request #328 from spadgett/3.7-sanitize-log

spadgett · web-flow · commit 0eb69202fbdb · 2018-04-12T17:19:45.000-04:00
[enterprise-3.7] Sanitize HTML output for log viewer
diff --git a/dist/origin-web-common-ui.js b/dist/origin-web-common-ui.js
@@ -2126,7 +2126,7 @@ angular.module('openshiftCommonUI').factory('GuidedTourService', function() {
 ;'use strict';
 
 angular.module("openshiftCommonUI")
-  .factory("HTMLService", function(BREAKPOINTS) {
+  .factory("HTMLService", function($sanitize, BREAKPOINTS) {
     var WINDOW_SIZE_XXS = 'xxs';
     var WINDOW_SIZE_XS = 'xs';
     var WINDOW_SIZE_SM = 'sm';
@@ -2216,13 +2216,13 @@ angular.module("openshiftCommonUI")
         }
 
         // Replace any URLs with links.
-        return text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
+        return $sanitize(text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
           if (target) {
             return "<a href=\"" + str + "\" target=\"" + target + "\">" + str + " <i class=\"fa fa-external-link\" aria-hidden=\"true\"></i></a>";
           }
 
           return "<a href=\"" + str + "\">" + str + "</a>";
-        });
+        }));
       }
     };
   });
diff --git a/dist/origin-web-common.js b/dist/origin-web-common.js
@@ -5913,7 +5913,7 @@ angular.module('openshiftCommonUI').factory('GuidedTourService', function() {
 ;'use strict';
 
 angular.module("openshiftCommonUI")
-  .factory("HTMLService", ["BREAKPOINTS", function(BREAKPOINTS) {
+  .factory("HTMLService", ["$sanitize", "BREAKPOINTS", function($sanitize, BREAKPOINTS) {
     var WINDOW_SIZE_XXS = 'xxs';
     var WINDOW_SIZE_XS = 'xs';
     var WINDOW_SIZE_SM = 'sm';
@@ -6003,13 +6003,13 @@ angular.module("openshiftCommonUI")
         }
 
         // Replace any URLs with links.
-        return text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
+        return $sanitize(text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
           if (target) {
             return "<a href=\"" + str + "\" target=\"" + target + "\">" + str + " <i class=\"fa fa-external-link\" aria-hidden=\"true\"></i></a>";
           }
 
           return "<a href=\"" + str + "\">" + str + "</a>";
-        });
+        }));
       }
     };
   }]);
diff --git a/dist/origin-web-common.min.js b/dist/origin-web-common.min.js
@@ -2616,7 +2616,7 @@ return {
 startTour:startTour,
 cancelTour:cancelTour
 };
-}), angular.module("openshiftCommonUI").factory("HTMLService", [ "BREAKPOINTS", function(BREAKPOINTS) {
+}), angular.module("openshiftCommonUI").factory("HTMLService", [ "$sanitize", "BREAKPOINTS", function($sanitize, BREAKPOINTS) {
 var WINDOW_SIZE_XXS = "xxs", WINDOW_SIZE_XS = "xs", WINDOW_SIZE_SM = "sm", WINDOW_SIZE_MD = "md", WINDOW_SIZE_LG = "lg";
 return {
 WINDOW_SIZE_XXS:WINDOW_SIZE_XXS,
@@ -2667,9 +2667,9 @@ return !0;
 }
 },
 linkify:function(text, target, alreadyEscaped) {
-return text ? (alreadyEscaped || (text = _.escape(text)), text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
+return text ? (alreadyEscaped || (text = _.escape(text)), $sanitize(text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
 return target ? '<a href="' + str + '" target="' + target + '">' + str + ' <i class="fa fa-external-link" aria-hidden="true"></i></a>' :'<a href="' + str + '">' + str + "</a>";
-})) :text;
+}))) :text;
 }
 };
 } ]), angular.module("openshiftCommonUI").provider("NotificationsService", function() {
diff --git a/src/ui-services/htmlService.js b/src/ui-services/htmlService.js
@@ -1,7 +1,7 @@
 'use strict';
 
 angular.module("openshiftCommonUI")
-  .factory("HTMLService", function(BREAKPOINTS) {
+  .factory("HTMLService", function($sanitize, BREAKPOINTS) {
     var WINDOW_SIZE_XXS = 'xxs';
     var WINDOW_SIZE_XS = 'xs';
     var WINDOW_SIZE_SM = 'sm';
@@ -91,13 +91,13 @@ angular.module("openshiftCommonUI")
         }
 
         // Replace any URLs with links.
-        return text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
+        return $sanitize(text.replace(/https?:\/\/[A-Za-z0-9._%+-]+[^\s<]*[^\s.,()\[\]{}<>"\u201d\u2019]/gm, function(str) {
           if (target) {
             return "<a href=\"" + str + "\" target=\"" + target + "\">" + str + " <i class=\"fa fa-external-link\" aria-hidden=\"true\"></i></a>";
           }
 
           return "<a href=\"" + str + "\">" + str + "</a>";
-        });
+        }));
       }
     };
   });
