fred/Agents-Orchestrator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrigir 5 vulnerabilidades XSS no frontend

Browse Source 
Sanitizar valores dinâmicos com escapeHtml em pontos que estavam
sem proteção: tags no modal de agente, campo model no card,
mensagens de toast, prompt do modal e expressão cron nos agendamentos.
This commit is contained in:
Frederico Castro
2026-02-28 12:22:19 -03:00
parent b9681b6746
commit 2e14223dd4
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
public/js/components/agents.js
View File

@@ -119,7 +119,7 @@ const AgentsUI = {
<div class="agent-meta">
<span class="agent-meta-item">
<i data-lucide="cpu"></i>
${model}
${Utils.escapeHtml(model)}
</span>
<span class="agent-meta-item">
<i data-lucide="clock"></i>
@@ -241,7 +241,7 @@ const AgentsUI = {
const tagsChips = document.getElementById('agent-tags-chips');
if (tagsChips) {
tagsChips.innerHTML = tags.map((t) =>
`<span class="tag-chip">${t}<button type="button" data-tag="${t}" class="tag-remove" aria-label="Remover tag ${t}">×</button></span>`
`<span class="tag-chip">${Utils.escapeHtml(t)}<button type="button" data-tag="${Utils.escapeHtml(t)}" class="tag-remove" aria-label="Remover tag ${Utils.escapeHtml(t)}">×</button></span>`
).join('');
}

2
public/js/components/modal.js
View File

@@ -69,7 +69,7 @@ const Modal = {
const inputEl = document.getElementById('prompt-modal-input');
if (titleEl) titleEl.textContent = title;
if (messageEl) messageEl.innerHTML = message;
if (messageEl) messageEl.textContent = message;
if (inputEl) inputEl.value = defaultValue;
Modal.open('prompt-modal-overlay');

2
public/js/components/schedules.js
View File

@@ -47,7 +47,7 @@ const SchedulesUI = {
<td>${Utils.escapeHtml(schedule.agentName || '—')}</td>
<td class="schedule-task-cell" title="${Utils.escapeHtml(schedule.taskDescription || '')}">${Utils.escapeHtml(schedule.taskDescription || '—')}</td>
<td>
<code class="font-mono">${cronExpr}</code>
<code class="font-mono">${Utils.escapeHtml(cronExpr)}</code>
</td>
<td>${nextRun}</td>
<td><span class="badge ${statusClass}">${statusLabel}</span></td>

2
public/js/components/toast.js
View File

@@ -24,7 +24,7 @@ const Toast = {
toast.innerHTML = `
<span class="toast-icon" data-lucide="${iconName}"></span>
<span class="toast-message">${message}</span>
<span class="toast-message">${Utils.escapeHtml(message)}</span>
<button class="toast-close" aria-label="Fechar notificação">
<i data-lucide="x"></i>
</button>