fix: [security] XSS in eventgraph preview payload

- as reported by Cyber Controls from SIX Group
2023-01-18 15:04:45 +01:00 · 2023-01-18 15:04:45 +01:00 · a46f794a13
parent 72c5424034
commit a46f794a13
1 changed files with 2 additions and 2 deletions
--- a/app/webroot/js/event-graph.js
+++ b/app/webroot/js/event-graph.js
@ -636,7 +636,7 @@ class EventGraph {
                    btn_plot.data('network-preview', preview);
                    btn_plot.popover({
                        container: 'body',
-                        content: function() { return '<img style="width: 500px; height: 150px;" src="' + $(this).data('network-preview') + '" />'; },
+                        content: function() { return '<img style="width: 500px; height: 150px;" src="' + $('<div>').text($(this).data('network-preview')).html() + '" />'; },
                        placement: 'right',
                        trigger: 'hover',
                        template: '<div class="popover" role="tooltip"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content" style="width: 500px; height: 150px;"></div></div>',
@ -2002,7 +2002,7 @@ function reset_graph_history() {
                btn_plot.data('network-preview', preview);
                btn_plot.popover({
                    container: 'body',
-                    content: function() { return '<img style="width: 500px; height: 150px;" src="' + $(this).data('network-preview') + '" />'; },
+                    content: function() { return '<img style="width: 500px; height: 150px;" src="' + $('<div>').text($(this).data('network-preview')).html() + '" />'; },
                    placement: 'right',
                    trigger: 'hover',
                    template: '<div class="popover" role="tooltip"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content" style="width: 500px; height: 150px;"></div></div>',