form: display-edit: add safe default renderer for display field

Due to the value binding on can get interesting effects when the displayEdit field is in write (input) mode, as then the values still get relayed to the display field, which itself is wanted as the field supports live-switching, but even though the display field is disabled and hidden, the value will be still rendered and a user can XSS themselves inserting things like: <img src="a" onerror="alert('cookie:'+document.cookie);"></token And even though it's harmless (your browser knows your own cookie already), it is rather odd and simply to cheap to harden against (per default) to not do so. Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-06-26 20:45:39 +00:00 · 2023-01-31 17:21:05 +01:00 · 2023-01-31 17:21:05 +01:00 · 6b70ca845d
commit 6b70ca845d
parent 319d450bec
1 changed files with 4 additions and 0 deletions
--- a/src/form/DisplayEdit.js
+++ b/src/form/DisplayEdit.js
@ -68,6 +68,10 @@ Ext.define('Proxmox.form.field.DisplayEdit', {
 	    delete displayConfig.displayConfig;
 	}

+	Ext.applyIf(displayConfig, {
+	    renderer: v => Ext.htmlEncode(v),
+	});
+
 	Ext.applyIf(displayConfig.bind, {
 	    hidden: '{editable}',
 	    disabled: '{editable}',