From 8dc79e73bd8490d3f0b9d79da78c4fe1f3c878db Mon Sep 17 00:00:00 2001 From: Aditya Toshniwal Date: Mon, 26 Jun 2023 13:36:25 +0530 Subject: [PATCH] Fix an XSS issue in PSQL tool title --- web/pgadmin/tools/psql/static/js/psql_module.js | 5 +++-- .../sqleditor/static/js/components/QueryToolComponent.jsx | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/web/pgadmin/tools/psql/static/js/psql_module.js b/web/pgadmin/tools/psql/static/js/psql_module.js index 5ce78b473..1d7b68f1a 100644 --- a/web/pgadmin/tools/psql/static/js/psql_module.js +++ b/web/pgadmin/tools/psql/static/js/psql_module.js @@ -154,6 +154,7 @@ export function initialize(gettext, url_for, _, pgAdmin, csrfToken, Browser) { const [panelUrl, panelCloseUrl, db_label] = this.getPanelUrls(transId, panelTitle, parentData, gen); + const escapedTitle = _.escape(panelTitle); let psqlToolForm = `
@@ -161,7 +162,7 @@ export function initialize(gettext, url_for, _, pgAdmin, csrfToken, Browser) {
`; @@ -178,7 +179,7 @@ export function initialize(gettext, url_for, _, pgAdmin, csrfToken, Browser) { registerDetachEvent(psqlToolPanel); // Set panel title and icon - setPanelTitle(psqlToolPanel, panelTitle); + setPanelTitle(psqlToolPanel, escapedTitle); psqlToolPanel.icon('fas fa-terminal psql-tab-style'); psqlToolPanel.focus(); diff --git a/web/pgadmin/tools/sqleditor/static/js/components/QueryToolComponent.jsx b/web/pgadmin/tools/sqleditor/static/js/components/QueryToolComponent.jsx index cc4fe97f5..ad4857c50 100644 --- a/web/pgadmin/tools/sqleditor/static/js/components/QueryToolComponent.jsx +++ b/web/pgadmin/tools/sqleditor/static/js/components/QueryToolComponent.jsx @@ -263,8 +263,8 @@ export default function QueryToolComponent({params, pgWindow, pgAdmin, selectedN }); } api.post(baseUrl, qtState.params.is_query_tool ? { - user: qtState.params.user, - role: qtState.params.role, + user: selectedConn.user, + role: selectedConn.role, password: password } : JSON.stringify(qtState.params.sql_filter)) .then(()=>{