From 523d8c1317725143556d771d960cf957d72ffbb8 Mon Sep 17 00:00:00 2001
From: Mike Gelfand <mikedld@mikedld.com>
Date: Fri, 23 Feb 2018 01:27:31 +0300
Subject: [PATCH] Tracker error XSS in inspector (web client)

Tracker error messages are inadequately output encoded when rendered by the
tracker information page inside the WebUI, allowing a malicious tracker to
inject an XSS payload into the page. Esploiting this issue allows an
attacker to supply arbitrary client-side code that will ultimately be
rendered and executed within the end user's web browser.

Found by Rory McNamara (Gotham Digital Science). CVE pending.
---
 web/javascript/inspector.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/javascript/inspector.js b/web/javascript/inspector.js
index 19ea36aaf..917334dd3 100644
--- a/web/javascript/inspector.js
+++ b/web/javascript/inspector.js
@@ -742,9 +742,9 @@ function Inspector(controller) {
 				html.push('<li class="inspector_tracker_entry ', parity, '"><div class="tracker_host" title="', sanitizeText(tracker.announce), '">',
 				          sanitizeText(tracker.host || tracker.announce), '</div>',
 				          '<div class="tracker_activity">',
-				          '<div>', lastAnnounceStatusHash['label'], ': ', lastAnnounceStatusHash['value'], '</div>',
+				          '<div>', lastAnnounceStatusHash['label'], ': ', sanitizeText(lastAnnounceStatusHash['value']), '</div>',
 				          '<div>', announceState, '</div>',
-				          '<div>', lastScrapeStatusHash['label'], ': ', lastScrapeStatusHash['value'], '</div>',
+				          '<div>', lastScrapeStatusHash['label'], ': ', sanitizeText(lastScrapeStatusHash['value']), '</div>',
 				          '</div><table class="tracker_stats">',
 				          '<tr><th>Seeders:</th><td>', (tracker.seederCount > -1 ? tracker.seederCount : na), '</td></tr>',
 				          '<tr><th>Leechers:</th><td>', (tracker.leecherCount > -1 ? tracker.leecherCount : na), '</td></tr>',
-- 
2.40.0