Fix XSS in server owner selection (#2441)

Co-authored-by: Stepan Fedotov <stepan@crident.com>
Co-authored-by: Sergej <me@sergiz.com>

CHANGELOG.md

@@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.7.19 (Derelict Dermodactylus)
+### Fixed
+* **[Security]** Fixes XSS in the admin area's server owner selection.
+
 ## v0.7.18 (Derelict Dermodactylus)
 ### Fixed
 * **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys.

public/themes/pterodactyl/js/admin/new-server.js

@@ -37,6 +37,12 @@ $(document).ready(function() {
         placeholder: 'Select Additional Allocations',
     });
 
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     $('#pUserId').select2({
         ajax: {
             url: Router.route('admin.users.json'),
@@ -56,23 +62,23 @@ $(document).ready(function() {
         escapeMarkup: function (markup) { return markup; },
         minimumInputLength: 2,
         templateResult: function (data) {
-            if (data.loading) return data.text;
+            if (data.loading) return escapeHtml(data.text);
 
             return '<div class="user-block"> \
-                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \
+                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
                 <span class="username"> \
-                    <a href="#">' + data.name_first + ' ' + data.name_last +'</a> \
+                    <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
                 </span> \
-                <span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \
+                <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
             </div>';
         },
         templateSelection: function (data) {
             return '<div> \
                 <span> \
-                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
+                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
                 </span> \
                 <span style="padding-left:5px;"> \
-                    ' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \
+                    ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
                 </span> \
             </div>';
         }

resources/themes/pterodactyl/admin/servers/view/details.blade.php

@@ -83,6 +83,12 @@
 @section('footer-scripts')
     @parent
     <script>
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     $('#pUserId').select2({
         ajax: {
             url: Router.route('admin.users.json'),
@@ -102,14 +108,14 @@
         escapeMarkup: function (markup) { return markup; },
         minimumInputLength: 2,
         templateResult: function (data) {
-            if (data.loading) return data.text;
+            if (data.loading) return escapeHtml(data.text);
 
             return '<div class="user-block"> \
-                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \
+                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
                 <span class="username"> \
-                    <a href="#">' + data.name_first + ' ' + data.name_last +'</a> \
+                    <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
                 </span> \
-                <span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \
+                <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
             </div>';
         },
         templateSelection: function (data) {
@@ -125,10 +131,10 @@
 
             return '<div> \
                 <span> \
-                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
+                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
                 </span> \
                 <span style="padding-left:5px;"> \
-                    ' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \
+                    ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
                 </span> \
             </div>';
         }