From fd30387c26144cda3a5ab50c3946635bec1020b7 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 11 Aug 2017 16:51:10 +0200
Subject: [PATCH] rec: Fix XSS in the web interface

(cherry picked from commit 2d801e832ed07dbbcbe9aa9bb6cca99c077916bf)
---
 pdns/dnsdistdist/html/local.js  | 98 ---------------------------------
 pdns/recursordist/html/local.js | 53 ++++++++++++++----
 2 files changed, 41 insertions(+), 110 deletions(-)

diff --git a/pdns/dnsdistdist/html/local.js b/pdns/dnsdistdist/html/local.js
index 26618447b..4241d503a 100644
--- a/pdns/dnsdistdist/html/local.js
+++ b/pdns/dnsdistdist/html/local.js
@@ -46,97 +46,6 @@ $(document).ready(function() {
     cpugraph.render();
     var intervalcount=0;
 
-    function updateRingBuffers()
-    {
-        var filtered=$("#filter1").is(':checked')
-        var qstring='jsonstat?command=get-query-ring&name=queries';
-        if(filtered)
-            qstring=qstring+"&public-filtered=1";
-
-        $.getJSON(qstring,
-                  function(data) {
-                      console.log(data);
-                      var bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>";
-                      var num=0;
-                      var total=0, rest=0;
-                      $.each(data["entries"], function(a,b) {
-                          total+=b[0];
-                          if(num++ > 10) {
-                              rest+=b[0];
-                              return;
-                          }
-                          if(b[1].length > 25)
-                              b[1]=b[1].substring(0,25);
-
-                          bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
-                      });
-                      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
-                      bouw=bouw+"</table>";
-                      $("#queryring").html(bouw);
-
-                  });
-
-        filtered=$("#filter2").is(':checked')
-        qstring='jsonstat?command=get-query-ring&name=servfail-queries';
-        if(filtered)
-            qstring=qstring+"&public-filtered=1";
-
-        $.getJSON(qstring, 
-                  function(data) {
-                      var bouw="<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr>";
-                      var num=0, total=0, rest=0;
-                      $.each(data["entries"], function(a,b) {
-                          total+=b[0];
-                          if(num++ > 10) {
-                              rest+=b[0];
-                              return;
-                          }
-                          if(b[1].length > 25)
-                              b[1]=b[1].substring(0,25);
-                          bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
-                      });
-                      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
-                      bouw=bouw+"</table>";
-                      $("#servfailqueryring").html(bouw);
-
-                  });
-
-        $.getJSON('jsonstat?command=get-remote-ring&name=remotes', 
-                  function(data) {
-                      var bouw="<table><tr><th>Number</th><th>Remote</th></tr>";
-                      var num=0, total=0, rest=0;
-                      $.each(data["entries"], function(a,b) {
-                          total+=b[0];
-                          if(num++ > 10) {
-                              rest +=b[0];
-                              return;
-                          }
-                          bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td></tr>");
-                      });
-                      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
-                      bouw=bouw+"</table>";
-                      $("#remotering").html(bouw);
-
-                  });
-
-        $.getJSON('jsonstat?command=get-remote-ring&name=servfail-remotes', 
-                  function(data) {
-                      var bouw="<table><tr><th>Number</th><th>Servfail Remote</th></tr>";
-                      var num=0, total=0, rest=0;
-                      $.each(data["entries"], function(a,b) {
-                          total+=b[0];
-                          if(num++ > 10) {
-                              rest += b[0];
-                              return;
-                          }
-                          bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td></tr>");
-                      });
-                      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
-                      bouw=bouw+"</table>";
-                      $("#servfailremotering").html(bouw);
-                  });
-    }
-
     function update()
     {
         $.ajax({
@@ -227,10 +136,6 @@ $(document).ready(function() {
                });
 
 
-//        if((intervalcount++)%5)
-  //          return;
-        //      updateRingBuffers();
-
         $.ajax({ url: 'jsonstat?command=dynblocklist', type: 'GET', dataType: 'json', jsonp: false,
                  success: function(data) {
                      var bouw='<table width="100%"><tr align=left><th>Dyn blocked netmask</th><th>Seconds</th><th>Blocks</th><th align=left>Reason</th></tr>';
@@ -267,9 +172,6 @@ $(document).ready(function() {
 
     };
     
-    $("#filter1").click(updateRingBuffers);
-    $("#filter2").click(updateRingBuffers);
-
     update();
     setInterval(update, 1000);
 });
diff --git a/pdns/recursordist/html/local.js b/pdns/recursordist/html/local.js
index 1cad60468..7ed22234b 100644
--- a/pdns/recursordist/html/local.js
+++ b/pdns/recursordist/html/local.js
@@ -63,7 +63,7 @@ $(document).ready(function() {
 
 	$.getJSON(qstring,
 		  function(data) {
-		      var bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>";
+		      var table = $('<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr></table>');
 		      var num=0;
 		      var total=0, rest=0;
 		      $.each(data["entries"], function(a,b) {
@@ -75,12 +75,26 @@ $(document).ready(function() {
 			  if(b[1].length > 25)
 			      b[1]=b[1].substring(0,25);
 
-			  bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
-		      });
-		      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
-		      bouw=bouw+"</table>";
-		      $("#queryring").html(bouw);
-
+			  var line = $('<tr />');
+			  var number = $('<td />');
+			  number.text(b[0]);
+			  var domain = $('<td />');
+			  domain.text(b[1]);
+			  var type = $('<td />');
+			  type.text(b[2]);
+			  line.append(number);
+			  line.append(domain);
+			  line.append(type);
+			  table.append(line);
+                      });
+		      var line = $('<tr />');
+		      var number = $('<td />');
+		      number.text(rest);
+		      var label = $('<td>Rest</td>');
+		      line.append(number);
+		      line.append(label);
+		      table.append(line);
+		      $("#queryring").html(table);
 		  });
 
 	filtered=$("#filter2").is(':checked')
@@ -91,7 +105,7 @@ $(document).ready(function() {
 
 	$.getJSON(qstring, 
 		  function(data) {
-		      var bouw="<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr>";
+		      var table = $('<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr></table>');
 		      var num=0, total=0, rest=0;
 		      $.each(data["entries"], function(a,b) {
 			  total+=b[0];
@@ -101,11 +115,26 @@ $(document).ready(function() {
 			  }
 			  if(b[1].length > 25)
 			      b[1]=b[1].substring(0,25);
-			  bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
+			  var line = $('<tr />');
+			  var number = $('<td />');
+			  number.text(b[0]);
+			  var domain = $('<td />');
+			  domain.text(b[1]);
+			  var type = $('<td />');
+			  type.text(b[2]);
+			  line.append(number);
+			  line.append(domain);
+			  line.append(type);
+			  table.append(line);
 		      });
-		      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
-		      bouw=bouw+"</table>";
-		      $("#servfailqueryring").html(bouw);
+		      var line = $('<tr />');
+		      var number = $('<td />');
+		      number.text(rest);
+		      var label = $('<td>Rest</td>');
+		      line.append(number);
+		      line.append(label);
+		      table.append(line);
+		      $("#servfailqueryring").html(table);
 
 		  });
 
-- 
2.40.0