NMS-16585: Fixed XSS vulnerability

OpenNMS · Jan 16, 2025 · f4abc65 · f4abc65
1 parent a5290d9
commit f4abc65
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/opennms-webapp/src/main/webapp/admin/sched-outages/index.jsp b/opennms-webapp/src/main/webapp/admin/sched-outages/index.jsp
@@ -33,6 +33,7 @@
 	import="
 	java.util.*,
 	org.opennms.core.spring.BeanUtils,
+	org.opennms.core.utils.WebSecurityUtils,
 	org.opennms.netmgt.config.*,
 	org.opennms.netmgt.config.dao.outages.api.WriteablePollOutagesDao,
 	org.opennms.netmgt.config.dao.thresholding.api.WriteableThreshdDao,
@@ -192,7 +193,7 @@
 		    List<org.opennms.netmgt.config.poller.outages.Node> nodeList = pollOutagesDao.getNodeIds(outageName);
 						for (int j = 0; j < nodeList.size(); j++) {
 							OnmsNode elementNode = NetworkElementFactory.getInstance(getServletContext()).getNode(nodeList.get(j).getId());
-		%> <li><%=elementNode == null || elementNode.getType() == NodeType.DELETED ? "Node: Node ID " + nodeList.get(j).getId() + " Not Found" : "Node: " + elementNode.getLabel()%></li>
+		%> <li><%=elementNode == null || elementNode.getType() == NodeType.DELETED ? "Node: Node ID " + nodeList.get(j).getId() + " Not Found" : "Node: " + WebSecurityUtils.sanitizeString(elementNode.getLabel())%></li>
 		<%
 		    }
 						List<org.opennms.netmgt.config.poller.outages.Interface> interfaceList = pollOutagesDao.getInterfaces(outageName);

diff --git a/opennms-webapp/src/main/webapp/admin/sched-outages/jsonNodes.jsp b/opennms-webapp/src/main/webapp/admin/sched-outages/jsonNodes.jsp
@@ -30,7 +30,7 @@
 --%>
 
 <%@page language="java"
-        contentType="text/html"
+        contentType="application/json"
         session="true"
         import="java.util.*, java.util.regex.*,
         org.opennms.web.element.*,