From 8258edea9c3791b50f9767334c71992dcdc10e44 Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Mon, 23 Feb 2026 11:55:52 +0100 Subject: [PATCH 1/3] Sanitized query in on-demand query list --- cmd/admin/static/js/query.js | 20 ++++++++++++++++++-- cmd/admin/templates/queries.html | 31 ++++++++++++++++++++++--------- 2 files changed, 40 insertions(+), 11 deletions(-) diff --git a/cmd/admin/static/js/query.js b/cmd/admin/static/js/query.js index b09ebfca..155900c8 100644 --- a/cmd/admin/static/js/query.js +++ b/cmd/admin/static/js/query.js @@ -117,9 +117,25 @@ function confirmDeleteSavedQueries(_names, _url) { $("#confirmModal").modal(); } +function escapeHTML(value) { + return String(value).replace(/&/g, "&").replace(//g, ">").replace(/"/g, """).replace(/'/g, "'"); +} + +function safeHref(href) { + const s = String(href || "").trim(); + const lower = s.toLowerCase(); + if (!s || lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:")) { + return "#"; + } + return s; +} + function queryResultLink(link, query, url) { - var external_link = ''; - return '' + query + " - " + external_link + " "; + var safeQuery = escapeHTML(query); + var safeURL = escapeHTML(safeHref(url)); + var safeLink = escapeHTML(safeHref(link)); + var external_link = ''; + return '' + safeQuery + " - " + external_link + " "; } function toggleSaveQuery() { diff --git a/cmd/admin/templates/queries.html b/cmd/admin/templates/queries.html index 3708d5e5..67c5237a 100644 --- a/cmd/admin/templates/queries.html +++ b/cmd/admin/templates/queries.html @@ -1,4 +1,4 @@ - + {{ $metadata := .Metadata }} {{ $leftmeta := .LeftMetadata }} {{ template "page-head" . }} @@ -13,9 +13,11 @@
- On-demand queries in {{ $leftmeta.EnvName }} + + On-demand queries in + {{ $leftmeta.EnvName }}
-
@@ -110,13 +112,24 @@ width: '40%', data: 'query', render: function (data, type, row, meta) { - if (type === 'display') { - return '
' + - queryResultLink(data.link, data.query, "/query/{{ $leftmeta.EnvUUID }}/logs/" + data.name) + - '
'; - } else { - return data; + if (type !== "display") { + return data && data.query ? data.query : ""; } + const logUrl = "/query/{{ $leftmeta.EnvUUID }}/logs/" + encodeURIComponent(String(data.name || "")); + const wrapper = $("
", { + style: "max-width:400px; white-space:normal; word-break:break-word;" + }); + const queryLink = $("", { + href: safeHref(logUrl), + text: String(data.query || "") + }); + const externalLink = $("", { + href: safeHref(data.link), + target: "_blank", + rel: "noopener noreferrer" + }).append($("", { class: "fas fa-external-link-alt" })); + wrapper.append($("", { class: "query-link" }).append(queryLink).append(" - ").append(externalLink)); + return wrapper.prop("outerHTML"); } },{ targets: 2, From 618a9c19c92506d6da6ea97413bc72c36ee8ae24 Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Mon, 23 Feb 2026 12:12:13 +0100 Subject: [PATCH 2/3] Update cmd/admin/static/js/query.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- cmd/admin/static/js/query.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cmd/admin/static/js/query.js b/cmd/admin/static/js/query.js index 155900c8..0c3386fb 100644 --- a/cmd/admin/static/js/query.js +++ b/cmd/admin/static/js/query.js @@ -124,10 +124,16 @@ function escapeHTML(value) { function safeHref(href) { const s = String(href || "").trim(); const lower = s.toLowerCase(); - if (!s || lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:")) { - return "#"; + // Allow relative URLs (path, hash, or query only) + if (s.startsWith("/") || s.startsWith("#") || s.startsWith("?")) { + return s; } - return s; + // Allow only http and https absolute URLs + if (lower.startsWith("http://") || lower.startsWith("https://")) { + return s; + } + // Fallback for disallowed or empty URLs + return "#"; } function queryResultLink(link, query, url) { From 6931d03d08a4c8c097673cc4fdad4c32a5e1c06a Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Mon, 23 Feb 2026 12:13:37 +0100 Subject: [PATCH 3/3] Remove function queryResultLink --- cmd/admin/static/js/query.js | 8 -------- 1 file changed, 8 deletions(-) diff --git a/cmd/admin/static/js/query.js b/cmd/admin/static/js/query.js index 0c3386fb..a0d00ad2 100644 --- a/cmd/admin/static/js/query.js +++ b/cmd/admin/static/js/query.js @@ -136,14 +136,6 @@ function safeHref(href) { return "#"; } -function queryResultLink(link, query, url) { - var safeQuery = escapeHTML(query); - var safeURL = escapeHTML(safeHref(url)); - var safeLink = escapeHTML(safeHref(link)); - var external_link = ''; - return '' + safeQuery + " - " + external_link + " "; -} - function toggleSaveQuery() { $("#save_query_name").val(""); if ($("#save_query_check").is(":checked")) {