From e6b8a379ba6939b4016b191fce916ebc68c5bc2c Mon Sep 17 00:00:00 2001
From: Julia Radzhabova <julia.radzhabova@onlyoffice.com>
Date: Mon, 26 Apr 2021 14:54:55 +0300
Subject: [PATCH] Fix vulnerability

---
 apps/common/main/lib/component/TreeView.js                 | 4 ++--
 apps/documenteditor/main/app/view/BookmarksDialog.js       | 2 +-
 apps/documenteditor/main/app/view/ControlSettingsDialog.js | 4 ++--
 apps/documenteditor/main/app/view/CrossReferenceDialog.js  | 2 +-
 apps/documenteditor/main/app/view/DocumentHolder.js        | 7 ++++++-
 apps/documenteditor/main/app/view/FormSettings.js          | 2 +-
 apps/spreadsheeteditor/main/app/controller/ViewTab.js      | 7 ++++++-
 apps/spreadsheeteditor/main/app/view/NameManagerDlg.js     | 2 +-
 apps/spreadsheeteditor/main/app/view/NamedRangePasteDlg.js | 2 +-
 apps/spreadsheeteditor/main/app/view/ViewManagerDlg.js     | 2 +-
 10 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/apps/common/main/lib/component/TreeView.js b/apps/common/main/lib/component/TreeView.js
index b8016b431..84c3fe860 100644
--- a/apps/common/main/lib/component/TreeView.js
+++ b/apps/common/main/lib/component/TreeView.js
@@ -176,11 +176,11 @@ define([
                         '<div class="tree-caret img-commonctrl ' + '<% if (!isExpanded) { %>' + 'up' + '<% } %>' + '" style="margin-left: <%= level*16 %>px;"></div>',
                     '<% } %>',
                     '<% if (isNotHeader) { %>',
-                        '<div class="name not-header"><%= name %></div>',
+                        '<div class="name not-header"><%= Common.Utils.String.htmlEncode(name) %></div>',
                     '<% } else if (isEmptyItem) { %>',
                         '<div class="name empty">' + options.emptyItemText + '</div>',
                     '<% } else { %>',
-                        '<div class="name"><%= name %></div>',
+                        '<div class="name"><%= Common.Utils.String.htmlEncode(name) %></div>',
                     '<% } %>',
                     '</div>'
                 ].join(''));
diff --git a/apps/documenteditor/main/app/view/BookmarksDialog.js b/apps/documenteditor/main/app/view/BookmarksDialog.js
index d6d305194..b03ab95f8 100644
--- a/apps/documenteditor/main/app/view/BookmarksDialog.js
+++ b/apps/documenteditor/main/app/view/BookmarksDialog.js
@@ -174,7 +174,7 @@ define([
                 el: $('#bookmarks-list', this.$window),
                 store: new Common.UI.DataViewStore(),
                 tabindex: 1,
-                itemTemplate: _.template('<div id="<%= id %>" class="list-item" style="pointer-events:none;overflow: hidden; text-overflow: ellipsis;"><%= value %></div>')
+                itemTemplate: _.template('<div id="<%= id %>" class="list-item" style="pointer-events:none;overflow: hidden; text-overflow: ellipsis;"><%= Common.Utils.String.htmlEncode(value) %></div>')
             });
             this.bookmarksList.store.comparator = function(rec) {
                 return (me.radioName.getValue() ? rec.get("value") : rec.get("location"));
diff --git a/apps/documenteditor/main/app/view/ControlSettingsDialog.js b/apps/documenteditor/main/app/view/ControlSettingsDialog.js
index b8c0b4b02..c921e816b 100644
--- a/apps/documenteditor/main/app/view/ControlSettingsDialog.js
+++ b/apps/documenteditor/main/app/view/ControlSettingsDialog.js
@@ -168,8 +168,8 @@ define([ 'text!documenteditor/main/app/template/ControlSettingsDialog.template',
                 template: _.template(['<div class="listview inner" style=""></div>'].join('')),
                 itemTemplate: _.template([
                     '<div id="<%= id %>" class="list-item" style="width: 100%;display:inline-block;">',
-                    '<div style="width:90px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;margin-right: 5px;"><%= name %></div>',
-                    '<div style="width:90px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;"><%= value %></div>',
+                    '<div style="width:90px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;margin-right: 5px;"><%= Common.Utils.String.htmlEncode(name) %></div>',
+                    '<div style="width:90px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;"><%= Common.Utils.String.htmlEncode(value) %></div>',
                     '</div>'
                 ].join('')),
                 tabindex: 1
diff --git a/apps/documenteditor/main/app/view/CrossReferenceDialog.js b/apps/documenteditor/main/app/view/CrossReferenceDialog.js
index f2a436813..e5934cf3b 100644
--- a/apps/documenteditor/main/app/view/CrossReferenceDialog.js
+++ b/apps/documenteditor/main/app/view/CrossReferenceDialog.js
@@ -183,7 +183,7 @@ define([
             this.refList = new Common.UI.ListView({
                 el: $window.find('#id-dlg-cross-list'),
                 store: new Common.UI.DataViewStore(),
-                itemTemplate: _.template('<div id="<%= id %>" class="list-item" style="pointer-events:none;overflow: hidden; text-overflow: ellipsis;white-space: pre;"><%= value %></div>')
+                itemTemplate: _.template('<div id="<%= id %>" class="list-item" style="pointer-events:none;overflow: hidden; text-overflow: ellipsis;white-space: pre;"><%= Common.Utils.String.htmlEncode(value) %></div>')
             });
             this.refList.on('entervalue', _.bind(this.onPrimary, this))
                         .on('item:dblclick', _.bind(this.onPrimary, this));
diff --git a/apps/documenteditor/main/app/view/DocumentHolder.js b/apps/documenteditor/main/app/view/DocumentHolder.js
index a5ac92070..68e9a89e2 100644
--- a/apps/documenteditor/main/app/view/DocumentHolder.js
+++ b/apps/documenteditor/main/app/view/DocumentHolder.js
@@ -4319,7 +4319,12 @@ define([
                 for (var i=0; i<count; i++) {
                     (specProps.get_ItemValue(i)!=='' || !isForm) && menu.addItem(new Common.UI.MenuItem({
                         caption     : specProps.get_ItemDisplayText(i),
-                        value       : specProps.get_ItemValue(i)
+                        value       : specProps.get_ItemValue(i),
+                        template    : _.template([
+                            '<a id="<%= id %>" style="<%= style %>" tabindex="-1" type="menuitem">',
+                            '<%= Common.Utils.String.htmlEncode(caption) %>',
+                            '</a>'
+                        ].join(''))
                     }));
                 }
                 if (!isForm && menu.items.length<1) {
diff --git a/apps/documenteditor/main/app/view/FormSettings.js b/apps/documenteditor/main/app/view/FormSettings.js
index c5da9f278..443f84bf2 100644
--- a/apps/documenteditor/main/app/view/FormSettings.js
+++ b/apps/documenteditor/main/app/view/FormSettings.js
@@ -224,7 +224,7 @@ define([
                 itemTemplate: _.template([
                     '<div id="<%= id %>" class="list-item" style="width: 100%;display:inline-block;">',
                     // '<div style="width:65px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;margin-right: 5px;"><%= name %></div>',
-                    '<div style="width:145px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;"><%= name %></div>',
+                    '<div style="width:145px;display: inline-block;vertical-align: middle; overflow: hidden; text-overflow: ellipsis;white-space: pre;"><%= Common.Utils.String.htmlEncode(name) %></div>',
                     '</div>'
                 ].join(''))
             });
diff --git a/apps/spreadsheeteditor/main/app/controller/ViewTab.js b/apps/spreadsheeteditor/main/app/controller/ViewTab.js
index b4c07e636..80c9e29a4 100644
--- a/apps/spreadsheeteditor/main/app/controller/ViewTab.js
+++ b/apps/spreadsheeteditor/main/app/controller/ViewTab.js
@@ -156,7 +156,12 @@ define([
                     caption : item.asc_getName(),
                     checkable: true,
                     allowDepress: false,
-                    checked : item.asc_getIsActive()
+                    checked : item.asc_getIsActive(),
+                    template    : _.template([
+                        '<a id="<%= id %>" style="<%= style %>" tabindex="-1" type="menuitem">',
+                        '<%= Common.Utils.String.htmlEncode(caption) %>',
+                        '</a>'
+                    ].join(''))
                 }));
                 if (item.asc_getIsActive())
                     active = true;
diff --git a/apps/spreadsheeteditor/main/app/view/NameManagerDlg.js b/apps/spreadsheeteditor/main/app/view/NameManagerDlg.js
index 9229ea8d9..e5989db39 100644
--- a/apps/spreadsheeteditor/main/app/view/NameManagerDlg.js
+++ b/apps/spreadsheeteditor/main/app/view/NameManagerDlg.js
@@ -123,7 +123,7 @@ define([  'text!spreadsheeteditor/main/app/template/NameManagerDlg.template',
                 itemTemplate: _.template([
                         '<div id="<%= id %>" class="list-item" style="width: 100%;display:inline-block;<% if (!lock) { %>pointer-events:none;<% } %>">',
                             '<div class="listitem-icon toolbar__icon <% print(isTable?"btn-menu-table":(isSlicer ? "btn-slicer" : "btn-named-range")) %>"></div>',
-                            '<div style="width:141px;padding-right: 5px;"><%= name %></div>',
+                            '<div style="width:141px;padding-right: 5px;"><%= Common.Utils.String.htmlEncode(name) %></div>',
                             '<div style="width:117px;padding-right: 5px;"><%= scopeName %></div>',
                             '<div style="width:204px;"><%= range %></div>',
                             '<% if (lock) { %>',
diff --git a/apps/spreadsheeteditor/main/app/view/NamedRangePasteDlg.js b/apps/spreadsheeteditor/main/app/view/NamedRangePasteDlg.js
index a977ac207..50fc84325 100644
--- a/apps/spreadsheeteditor/main/app/view/NamedRangePasteDlg.js
+++ b/apps/spreadsheeteditor/main/app/view/NamedRangePasteDlg.js
@@ -95,7 +95,7 @@ define([
                     '<div style="pointer-events:none;">',
                         '<div id="<%= id %>" class="list-item" style="pointer-events:none;width: 100%;display:inline-block;">',
                             '<div class="listitem-icon toolbar__icon <% print(isTable?"btn-menu-table":(isSlicer ? "btn-slicer" : "btn-named-range")) %>"></div>',
-                            '<div style="width:186px;padding-right: 5px;"><%= name %></div>',
+                            '<div style="width:186px;padding-right: 5px;"><%= Common.Utils.String.htmlEncode(name) %></div>',
                         '</div>',
                     '</div>'
                 ].join(''))
diff --git a/apps/spreadsheeteditor/main/app/view/ViewManagerDlg.js b/apps/spreadsheeteditor/main/app/view/ViewManagerDlg.js
index d41d1b08b..f606e72ec 100644
--- a/apps/spreadsheeteditor/main/app/view/ViewManagerDlg.js
+++ b/apps/spreadsheeteditor/main/app/view/ViewManagerDlg.js
@@ -118,7 +118,7 @@ define([
                 template: _.template(['<div class="listview inner" style=""></div>'].join('')),
                 itemTemplate: _.template([
                         '<div id="<%= id %>" class="list-item" style="width: 100%;height: 20px;display:inline-block;<% if (!lock) { %>pointer-events:none;<% } %>">',
-                            '<div style="width:100%;"><%= name %></div>',
+                            '<div style="width:100%;"><%= Common.Utils.String.htmlEncode(name) %></div>',
                             '<% if (lock) { %>',
                                 '<div class="lock-user"><%=lockuser%></div>',
                             '<% } %>',