From cb26ca0e46e9947977937654e935cb974fd989f1 Mon Sep 17 00:00:00 2001 From: Khushboo Vashi Date: Mon, 9 Dec 2019 18:00:56 +0530 Subject: [PATCH] =?UTF-8?q?Fix=20XSS=20issue=20in=20explain=20and=20explai?= =?UTF-8?q?n=20analyze=C2=A0for=20table=20and=20type=20which=20contain=20H?= =?UTF-8?q?TML.=20Fixes=20#4947.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/en_US/release_notes_4_16.rst | 1 + web/pgadmin/misc/static/explain/js/explain.js | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/en_US/release_notes_4_16.rst b/docs/en_US/release_notes_4_16.rst index 853704160..a8492735e 100644 --- a/docs/en_US/release_notes_4_16.rst +++ b/docs/en_US/release_notes_4_16.rst @@ -47,6 +47,7 @@ Bug fixes | `Issue #4933 `_ - Ensure that the Servers collection node should expand independently of server connections. | `Issue #4934 `_ - Fix the help button link on the User Management dialog. | `Issue #4935 `_ - Fix accessibility issues. +| `Issue #4947 `_ - Fix XSS issue in explain and explain analyze for table and type which contain HTML. | `Issue #4952 `_ - Fix an issue of retrieving properties for Compound Triggers. It's a regression of #4006. | `Issue #4953 `_ - Fix an issue where pgAdmin4 unable to retrieve table node if the trigger is already disabled and the user clicks on Enable All. | `Issue #4958 `_ - Fix reverse engineering SQL issue for triggers when passed a single argument to trigger function. diff --git a/web/pgadmin/misc/static/explain/js/explain.js b/web/pgadmin/misc/static/explain/js/explain.js index e0aeb100c..e783afa9f 100644 --- a/web/pgadmin/misc/static/explain/js/explain.js +++ b/web/pgadmin/misc/static/explain/js/explain.js @@ -436,7 +436,7 @@ define('pgadmin.misc.explain', [ tooltip.push(' as '); display_text.push(''); display_text.push(_.escape(_planData['Alias'])); - tooltip.push(_planData['Alias']); + tooltip.push(_.escape(_planData['Alias'])); display_text.push(''); } }