Skip to content

Sanitize remaining XSS gaps in customer view and alert modal/popover#13

Merged
Che4ter merged 4 commits into
bv-developfrom
fix/customer-view-alert-sanitization
Jul 8, 2026
Merged

Sanitize remaining XSS gaps in customer view and alert modal/popover#13
Che4ter merged 4 commits into
bv-developfrom
fix/customer-view-alert-sanitization

Conversation

@Che4ter

@Che4ter Che4ter commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Ports 4 follow-up fixes from contrib/security-fixes-and-backports (PR dfir-iris#1087 to upstream) that close XSS gaps left by the earlier "Sanitation in multiple views" / "Fixed duplicated entries" commits already on bv-develop:

  • owner and asset_type columns in the customer view's cases/assets tables were still rendering raw, unsanitized data; both could also throw on a null value.
  • DataTables sort/filter now compares against the raw value instead of the HTML-sanitized one (only the display render type needs sanitizing).
  • Alert-history modal entries (user, action) were still appended as raw HTML.
  • alert_title in the asset view's linked-alerts popover was only quote-escaped, not HTML-sanitized.

Test plan

  • Cherry-picked cleanly onto bv-develop with no conflicts
  • node --check passes on all 3 modified files
  • Manual smoke test: customer view cases/assets tables render correctly, alert history modal opens without duplicate entries, asset linked-alerts popover displays correctly

Che4ter added 4 commits July 8, 2026 10:42
…filter values

- 'owner' (case owner username) and 'asset_type' were left unsanitized
  by the previous sanitation pass in this same table config.
- sanitizeHTML was being applied unconditionally for every DataTables
  render call (display/sort/filter/type), causing the search box and
  sort order to operate on the HTML-encoded value instead of the raw
  one. Sanitize only for the 'display' type via a shared helper.
- Guard asset_type/owner renderers against a null value (asset_type_id
  and case owner are both nullable).
user and action come from modification_history, which embeds the
acting user's username verbatim. They were appended as raw HTML via
jQuery .append(), so a username containing HTML/script executed when
an analyst opened the alert history modal.
alert_title was only quote-escaped before being embedded in the
popover's HTML content, so a title containing unquoted HTML (e.g. an
img tag with an onerror handler) still executed. Run it through
sanitizeHTML before the quote-escaping used for the attribute context.
…olumns

Use the same falsy check (!data) as the owner/asset_type renderers
instead of a strict === null comparison, so an undefined state value
falls back to 'Unknown' instead of throwing on data.state_name.
@Che4ter Che4ter merged commit 7c343a9 into bv-develop Jul 8, 2026
6 of 8 checks passed
@Che4ter Che4ter deleted the fix/customer-view-alert-sanitization branch July 8, 2026 11:13
@Che4ter Che4ter mentioned this pull request Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant