commit 318fac5391eb1b7e9b868ee6fb64f4e9c49850cb
author Denes Bodo <dionusos@apache.org> Thu Oct 19 14:43:37 2023 +0200
committer Denes Bodo <dionusos@apache.org> Thu Oct 19 14:56:25 2023 +0200
tree 625c070fd578cf95af0452c1349906571834fd59
parent 3c614c74cb5cb8897a2f95334b5e467227edf740

OOZIE-3718 Improve Oozie Web UI filtering (NikhilDaf via dionusos)

webapp/src/main/webapp/oozie-console.js

diff --git a/webapp/src/main/webapp/oozie-console.js b/webapp/src/main/webapp/oozie-console.js
index b09a6d1..541eae7 100644
--- a/webapp/src/main/webapp/oozie-console.js
+++ b/webapp/src/main/webapp/oozie-console.js
@@ -204,8 +204,30 @@
     return filter;
 }
 
-function convertStatusToUpperCase(filterText) {
-    var converted = filterText.replace(/status=([a-zA-Z]+)/g, function(){
+// code imported and modified from Handlebars escapeExpression utility
+const escape = {
+  '&': '&',
+  '<': '&lt;',
+  '>': '&gt;',
+  '`': '&#x60;',
+};
+
+function escapeChar(chr) {
+  return escape[chr];
+}
+
+const badChars = /[&<>`]/g,
+  possible = /[&<>`]/;
+
+function escapeExpression(text) {
+  if (!possible.test(text)) {
+    return text;
+  }
+  return text.replace(badChars, escapeChar);
+}
+
+function convertStatusToUpperCaseAndEscapeHtml(filterText) {
+    var converted = escapeExpression(filterText).replace(/status=([a-zA-Z]+)/g, function(){
           var text = arguments[1];
           return "status="+ text.toUpperCase();
     });
@@ -2618,7 +2640,7 @@
     handler: function() {
         Ext.Msg.prompt('Filter Criteria', 'Filter text:', function(btn, text) {
             if (btn == 'ok' && text) {
-                var filter = convertStatusToUpperCase(text);
+                var filter = convertStatusToUpperCaseAndEscapeHtml(text);
                 refreshCustomJobsAction.setText(filter);
                 Ext.state.Manager.setProvider(new Ext.state.CookieProvider({
                     expires: new Date(new Date().getTime()+315569259747)
@@ -2637,7 +2659,7 @@
     handler: function() {
         Ext.Msg.prompt('Filter Criteria', 'Filter text:', function(btn, text) {
             if (btn == 'ok' && text) {
-                var filter = convertStatusToUpperCase(text);
+                var filter = convertStatusToUpperCaseAndEscapeHtml(text);
                 refreshCoordCustomJobsAction.setText(filter);
                 Ext.state.Manager.setProvider(new Ext.state.CookieProvider({
                     expires: new Date(new Date().getTime()+315569259747)
@@ -2656,7 +2678,7 @@
     handler: function() {
         Ext.Msg.prompt('Filter Criteria', 'Filter text:', function(btn, text) {
             if (btn == 'ok' && text) {
-                var filter = convertStatusToUpperCase(text);
+                var filter = convertStatusToUpperCaseAndEscapeHtml(text);
                 refreshBundleCustomJobsAction.setText(filter);
                 Ext.state.Manager.setProvider(new Ext.state.CookieProvider({
                     expires: new Date(new Date().getTime()+315569259747)
@@ -3231,7 +3253,7 @@
                     Ext.state.Manager.setProvider(new Ext.state.CookieProvider({
                         expires: new Date(new Date().getTime()+315569259747) // about 10 years from now!
                     }));
-                    var upper_value = convertStatusToUpperCase(value);
+                    var upper_value = convertStatusToUpperCaseAndEscapeHtml(value);
                     Ext.state.Manager.set("GlobalCustomFilter", upper_value);
                 }
             }}