From c39d257bf65b4c2c8f07901f4a909708c771775c Mon Sep 17 00:00:00 2001
From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Date: Mon, 24 Jun 2019 16:06:03 +0530
Subject: [PATCH] Fix an XSS issue when username contains XSS vulnerable text.
 Fixes #4386

---
 docs/en_US/release_notes_4_9.rst              |  3 ++-
 .../tools/datagrid/static/js/datagrid.js      | 23 ++++---------------
 ...panel_title.js => datagrid_panel_title.js} | 22 ++++++++++++++++++
 .../tools/datagrid/static/js/show_data.js     |  2 +-
 .../datagrid/static/js/show_query_tool.js     |  2 +-
 .../tools/sqleditor/static/js/sqleditor.js    | 10 ++++----
 .../datagrid/get_panel_title_spec.js          |  2 +-
 7 files changed, 35 insertions(+), 29 deletions(-)
 rename web/pgadmin/tools/datagrid/static/js/{get_panel_title.js => datagrid_panel_title.js} (58%)

diff --git a/docs/en_US/release_notes_4_9.rst b/docs/en_US/release_notes_4_9.rst
index 975af149c..44682114d 100644
--- a/docs/en_US/release_notes_4_9.rst
+++ b/docs/en_US/release_notes_4_9.rst
@@ -40,4 +40,5 @@ Bug fixes
 | `Bug #4365 <https://redmine.postgresql.org/issues/4365>`_ - Fix help links for backup globals and backup server.
 | `Bug #4367 <https://redmine.postgresql.org/issues/4367>`_ - Fix an XSS issue seen in View/Edit data mode if a column name includes HTML.
 | `Bug #4378 <https://redmine.postgresql.org/issues/4378>`_ - Ensure Python escaping matched JS escaping and fix a minor XSS issue in the Query Tool that required superuser access to trigger.
-| `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.
\ No newline at end of file
+| `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.
+| `Bug #4386 <https://redmine.postgresql.org/issues/4386>`_ - Fix an XSS issue when username contains XSS vulnerable text.
\ No newline at end of file
diff --git a/web/pgadmin/tools/datagrid/static/js/datagrid.js b/web/pgadmin/tools/datagrid/static/js/datagrid.js
index b7d64de41..cc0951943 100644
--- a/web/pgadmin/tools/datagrid/static/js/datagrid.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid.js
@@ -13,10 +13,10 @@ define('pgadmin.datagrid', [
   'sources/sqleditor_utils', 'backbone',
   'tools/datagrid/static/js/show_data',
   'tools/datagrid/static/js/show_query_tool', 'pgadmin.browser.toolbar',
-  'wcdocker',
+  'tools/datagrid/static/js/datagrid_panel_title', 'wcdocker',
 ], function(
   gettext, url_for, $, _, alertify, pgAdmin, codemirror, sqlEditorUtils,
-  Backbone, showData, showQueryTool, toolBar
+  Backbone, showData, showQueryTool, toolBar, panelTitleFunc
 ) {
   // Some scripts do export their object in the window only.
   // Generally the one, which do no have AMD support.
@@ -263,21 +263,7 @@ define('pgadmin.datagrid', [
       launch_grid: function(trans_obj) {
         var self = this,
           panel_title = trans_obj.panel_title,
-          grid_title = trans_obj.panel_title,
-          panel_icon = '',
-          panel_tooltip = '';
-
-        if (trans_obj.is_query_tool == 'false') {
-          // Edit grid titles
-          panel_tooltip = gettext('View/Edit Data - ') + grid_title;
-          panel_title = grid_title;
-          panel_icon = 'fa fa-table';
-        } else {
-          // Query tool titles
-          panel_tooltip = gettext('Query Tool - ') + grid_title;
-          panel_title = grid_title;
-          panel_icon = 'fa fa-bolt';
-        }
+          grid_title = trans_obj.panel_title;
 
         // Open the panel if frame is initialized
         let titileForURLObj = sqlEditorUtils.removeSlashInTheString(grid_title);
@@ -313,8 +299,7 @@ define('pgadmin.datagrid', [
           var queryToolPanel = pgBrowser.docker.addPanel('frm_datagrid', wcDocker.DOCK.STACKED, propertiesPanel[0]);
 
           // Set panel title and icon
-          queryToolPanel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
-          queryToolPanel.icon(panel_icon);
+          panelTitleFunc.setQueryToolDockerTitle(queryToolPanel, trans_obj.is_query_tool, panel_title);
           queryToolPanel.focus();
 
           // Listen on the panel closed event.
diff --git a/web/pgadmin/tools/datagrid/static/js/get_panel_title.js b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
similarity index 58%
rename from web/pgadmin/tools/datagrid/static/js/get_panel_title.js
rename to web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
index 6aff905db..ec3a23068 100644
--- a/web/pgadmin/tools/datagrid/static/js/get_panel_title.js
+++ b/web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js
@@ -8,6 +8,7 @@
 //////////////////////////////////////////////////////////////
 
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
+import gettext from 'sources/gettext';
 
 function getDatabaseLabel(parentData) {
   return parentData.database ? parentData.database.label
@@ -33,3 +34,24 @@ export function getPanelTitle(pgBrowser, selected_item=null) {
 
   return `${db_label}/${parentData.server.user.name}@${parentData.server.label}`;
 }
+
+export function setQueryToolDockerTitle(panel, is_query_tool, panel_title, is_file) {
+  let panel_icon = '', panel_tooltip = '';
+
+  if(is_file || is_file == 'true'){
+    panel_tooltip = gettext('File - ') + panel_title;
+    panel_icon = 'fa fa-file-text-o';
+  }
+  else if (is_query_tool == 'false' || is_query_tool == false) {
+    // Edit grid titles
+    panel_tooltip = gettext('View/Edit Data - ') + panel_title;
+    panel_icon = 'fa fa-table';
+  } else {
+    // Query tool titles
+    panel_tooltip = gettext('Query Tool - ') + panel_title;
+    panel_icon = 'fa fa-bolt';
+  }
+
+  panel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
+  panel.icon(panel_icon);
+}
diff --git a/web/pgadmin/tools/datagrid/static/js/show_data.js b/web/pgadmin/tools/datagrid/static/js/show_data.js
index 253f31d31..547daf77b 100644
--- a/web/pgadmin/tools/datagrid/static/js/show_data.js
+++ b/web/pgadmin/tools/datagrid/static/js/show_data.js
@@ -9,7 +9,7 @@
 import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
-import {getPanelTitle} from './get_panel_title';
+import {getPanelTitle} from './datagrid_panel_title';
 import CodeMirror from 'bundled_codemirror';
 import * as SqlEditorUtils from 'sources/sqleditor_utils';
 import $ from 'jquery';
diff --git a/web/pgadmin/tools/datagrid/static/js/show_query_tool.js b/web/pgadmin/tools/datagrid/static/js/show_query_tool.js
index 1fd9eee98..4b42c7a67 100644
--- a/web/pgadmin/tools/datagrid/static/js/show_query_tool.js
+++ b/web/pgadmin/tools/datagrid/static/js/show_query_tool.js
@@ -10,7 +10,7 @@
 import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
-import {getPanelTitle} from './get_panel_title';
+import {getPanelTitle} from './datagrid_panel_title';
 
 function hasDatabaseInformation(parentData) {
   return parentData.database;
diff --git a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
index e2d69f78a..a85605745 100644
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@@ -36,6 +36,7 @@ define('tools.querytool', [
   'sources/sqleditor/call_render_after_poll',
   'sources/sqleditor/query_tool_preferences',
   'sources/csrf',
+  'tools/datagrid/static/js/datagrid_panel_title',
   'sources/../bundle/slickgrid',
   'pgadmin.file_manager',
   'backgrid.sizeable.columns',
@@ -50,7 +51,7 @@ define('tools.querytool', [
   XCellSelectionModel, setStagedRows, SqlEditorUtils, ExecuteQuery, httpErrorHandler, FilterHandler,
   GeometryViewer, historyColl, queryHist,
   keyboardShortcuts, queryToolActions, queryToolNotifications, Datagrid,
-  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken) {
+  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken, panelTitleFunc) {
   /* Return back, this has been called more than once */
   if (pgAdmin.SqlEditor)
     return pgAdmin.SqlEditor;
@@ -3046,7 +3047,7 @@ define('tools.querytool', [
       },
 
       // Set panel title.
-      setTitle: function(title, unsafe) {
+      setTitle: function(title, is_file) {
         var self = this;
 
         if (self.preferences.new_browser_tab) {
@@ -3054,10 +3055,7 @@ define('tools.querytool', [
         } else {
           _.each(window.top.pgAdmin.Browser.docker.findPanels('frm_datagrid'), function(p) {
             if (p.isVisible()) {
-              if(unsafe) {
-                title = _.escape(title);
-              }
-              p.title(title);
+              panelTitleFunc.setQueryToolDockerTitle(p, self.is_query_tool, title, is_file);
             }
           });
         }
diff --git a/web/regression/javascript/datagrid/get_panel_title_spec.js b/web/regression/javascript/datagrid/get_panel_title_spec.js
index b1b9a7e48..15852d078 100644
--- a/web/regression/javascript/datagrid/get_panel_title_spec.js
+++ b/web/regression/javascript/datagrid/get_panel_title_spec.js
@@ -7,7 +7,7 @@
 //
 //////////////////////////////////////////////////////////////
 
-import {getPanelTitle} from '../../../pgadmin/tools/datagrid/static/js/get_panel_title';
+import {getPanelTitle} from '../../../pgadmin/tools/datagrid/static/js/datagrid_panel_title';
 import {TreeFake} from '../tree/tree_fake';
 import {TreeNode} from '../../../pgadmin/static/js/tree/tree';