Fix an XSS issue when username contains XSS vulnerable text. Fixes #4386

docs/en_US/release_notes_4_9.rst

@@ -40,4 +40,5 @@ Bug fixes
 | `Bug #4365 <https://redmine.postgresql.org/issues/4365>`_ - Fix help links for backup globals and backup server.
 | `Bug #4367 <https://redmine.postgresql.org/issues/4367>`_ - Fix an XSS issue seen in View/Edit data mode if a column name includes HTML.
 | `Bug #4378 <https://redmine.postgresql.org/issues/4378>`_ - Ensure Python escaping matched JS escaping and fix a minor XSS issue in the Query Tool that required superuser access to trigger.
-| `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.
+| `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.
+| `Bug #4386 <https://redmine.postgresql.org/issues/4386>`_ - Fix an XSS issue when username contains XSS vulnerable text.

web/pgadmin/tools/datagrid/static/js/datagrid.js

@@ -13,10 +13,10 @@ define('pgadmin.datagrid', [
   'sources/sqleditor_utils', 'backbone',
   'tools/datagrid/static/js/show_data',
   'tools/datagrid/static/js/show_query_tool', 'pgadmin.browser.toolbar',
-  'wcdocker',
+  'tools/datagrid/static/js/datagrid_panel_title', 'wcdocker',
 ], function(
   gettext, url_for, $, _, alertify, pgAdmin, codemirror, sqlEditorUtils,
-  Backbone, showData, showQueryTool, toolBar
+  Backbone, showData, showQueryTool, toolBar, panelTitleFunc
 ) {
   // Some scripts do export their object in the window only.
   // Generally the one, which do no have AMD support.
@@ -263,21 +263,7 @@ define('pgadmin.datagrid', [
       launch_grid: function(trans_obj) {
         var self = this,
           panel_title = trans_obj.panel_title,
-          grid_title = trans_obj.panel_title,
+          grid_title = trans_obj.panel_title;
-          panel_icon = '',
-          panel_tooltip = '';
-
-        if (trans_obj.is_query_tool == 'false') {
-          // Edit grid titles
-          panel_tooltip = gettext('View/Edit Data - ') + grid_title;
-          panel_title = grid_title;
-          panel_icon = 'fa fa-table';
-        } else {
-          // Query tool titles
-          panel_tooltip = gettext('Query Tool - ') + grid_title;
-          panel_title = grid_title;
-          panel_icon = 'fa fa-bolt';
-        }
 
         // Open the panel if frame is initialized
         let titileForURLObj = sqlEditorUtils.removeSlashInTheString(grid_title);
@@ -313,8 +299,7 @@ define('pgadmin.datagrid', [
           var queryToolPanel = pgBrowser.docker.addPanel('frm_datagrid', wcDocker.DOCK.STACKED, propertiesPanel[0]);
 
           // Set panel title and icon
-          queryToolPanel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
+          panelTitleFunc.setQueryToolDockerTitle(queryToolPanel, trans_obj.is_query_tool, panel_title);
-          queryToolPanel.icon(panel_icon);
           queryToolPanel.focus();
 
           // Listen on the panel closed event.

web/pgadmin/tools/datagrid/static/js/datagrid_panel_title.js

@@ -8,6 +8,7 @@
 //////////////////////////////////////////////////////////////
 
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
+import gettext from 'sources/gettext';
 
 function getDatabaseLabel(parentData) {
   return parentData.database ? parentData.database.label
@@ -33,3 +34,24 @@ export function getPanelTitle(pgBrowser, selected_item=null) {
 
   return `${db_label}/${parentData.server.user.name}@${parentData.server.label}`;
 }
+
+export function setQueryToolDockerTitle(panel, is_query_tool, panel_title, is_file) {
+  let panel_icon = '', panel_tooltip = '';
+
+  if(is_file || is_file == 'true'){
+    panel_tooltip = gettext('File - ') + panel_title;
+    panel_icon = 'fa fa-file-text-o';
+  }
+  else if (is_query_tool == 'false' || is_query_tool == false) {
+    // Edit grid titles
+    panel_tooltip = gettext('View/Edit Data - ') + panel_title;
+    panel_icon = 'fa fa-table';
+  } else {
+    // Query tool titles
+    panel_tooltip = gettext('Query Tool - ') + panel_title;
+    panel_icon = 'fa fa-bolt';
+  }
+
+  panel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
+  panel.icon(panel_icon);
+}

web/pgadmin/tools/datagrid/static/js/show_data.js

@@ -9,7 +9,7 @@
 import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
-import {getPanelTitle} from './get_panel_title';
+import {getPanelTitle} from './datagrid_panel_title';
 import CodeMirror from 'bundled_codemirror';
 import * as SqlEditorUtils from 'sources/sqleditor_utils';
 import $ from 'jquery';

web/pgadmin/tools/datagrid/static/js/show_query_tool.js

@@ -10,7 +10,7 @@
 import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import {getTreeNodeHierarchyFromIdentifier} from '../../../../static/js/tree/pgadmin_tree_node';
-import {getPanelTitle} from './get_panel_title';
+import {getPanelTitle} from './datagrid_panel_title';
 
 function hasDatabaseInformation(parentData) {
   return parentData.database;

web/pgadmin/tools/sqleditor/static/js/sqleditor.js

@@ -36,6 +36,7 @@ define('tools.querytool', [
   'sources/sqleditor/call_render_after_poll',
   'sources/sqleditor/query_tool_preferences',
   'sources/csrf',
+  'tools/datagrid/static/js/datagrid_panel_title',
   'sources/../bundle/slickgrid',
   'pgadmin.file_manager',
   'backgrid.sizeable.columns',
@@ -50,7 +51,7 @@ define('tools.querytool', [
   XCellSelectionModel, setStagedRows, SqlEditorUtils, ExecuteQuery, httpErrorHandler, FilterHandler,
   GeometryViewer, historyColl, queryHist,
   keyboardShortcuts, queryToolActions, queryToolNotifications, Datagrid,
-  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken) {
+  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken, panelTitleFunc) {
   /* Return back, this has been called more than once */
   if (pgAdmin.SqlEditor)
     return pgAdmin.SqlEditor;
@@ -3046,7 +3047,7 @@ define('tools.querytool', [
       },
 
       // Set panel title.
-      setTitle: function(title, unsafe) {
+      setTitle: function(title, is_file) {
         var self = this;
 
         if (self.preferences.new_browser_tab) {
@@ -3054,10 +3055,7 @@ define('tools.querytool', [
         } else {
           _.each(window.top.pgAdmin.Browser.docker.findPanels('frm_datagrid'), function(p) {
             if (p.isVisible()) {
-              if(unsafe) {
+              panelTitleFunc.setQueryToolDockerTitle(p, self.is_query_tool, title, is_file);
-                title = _.escape(title);
-              }
-              p.title(title);
             }
           });
         }

web/regression/javascript/datagrid/get_panel_title_spec.js

@@ -7,7 +7,7 @@
 //
 //////////////////////////////////////////////////////////////
 
-import {getPanelTitle} from '../../../pgadmin/tools/datagrid/static/js/get_panel_title';
+import {getPanelTitle} from '../../../pgadmin/tools/datagrid/static/js/datagrid_panel_title';
 import {TreeFake} from '../tree/tree_fake';
 import {TreeNode} from '../../../pgadmin/static/js/tree/tree';