From 6b70ca845d2328642c9211e528941a4253bb643c Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 31 Jan 2023 17:21:05 +0100
Subject: [PATCH] form: display-edit: add safe default renderer for display
 field

Due to the value binding on can get interesting effects when the
displayEdit field is in write (input) mode, as then the values still
get relayed to the display field, which itself is wanted as the field
supports live-switching, but even though the display field is
disabled and hidden, the value will be still rendered and a user can
XSS themselves inserting things like:
<img src="a" onerror="alert('cookie:'+document.cookie);"></token

And even though it's harmless (your browser knows your own cookie
already), it is rather odd and simply to cheap to harden against (per
default) to not do so.

Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/form/DisplayEdit.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/form/DisplayEdit.js b/src/form/DisplayEdit.js
index 923ec6d..97b443f 100644
--- a/src/form/DisplayEdit.js
+++ b/src/form/DisplayEdit.js
@@ -68,6 +68,10 @@ Ext.define('Proxmox.form.field.DisplayEdit', {
 	    delete displayConfig.displayConfig;
 	}
 
+	Ext.applyIf(displayConfig, {
+	    renderer: v => Ext.htmlEncode(v),
+	});
+
 	Ext.applyIf(displayConfig.bind, {
 	    hidden: '{editable}',
 	    disabled: '{editable}',