fred/Agents-Orchestrator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrigir 5 vulnerabilidades XSS no frontend

Browse Source 
Sanitizar valores dinâmicos com escapeHtml em pontos que estavam
sem proteção: tags no modal de agente, campo model no card,
mensagens de toast, prompt do modal e expressão cron nos agendamentos.
This commit is contained in:
Frederico Castro
2026-02-28 12:22:19 -03:00
parent b9681b6746
commit 2e14223dd4
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
public/js/components/agents.js
View File

@@ -119,7 +119,7 @@ const AgentsUI = {
<div class="agent-meta"> <div class="agent-meta">
<span class="agent-meta-item"> <span class="agent-meta-item">
<i data-lucide="cpu"></i> <i data-lucide="cpu"></i>
${model} ${Utils.escapeHtml(model)}
</span> </span>
<span class="agent-meta-item"> <span class="agent-meta-item">
<i data-lucide="clock"></i> <i data-lucide="clock"></i>
@@ -241,7 +241,7 @@ const AgentsUI = {
const tagsChips = document.getElementById('agent-tags-chips'); const tagsChips = document.getElementById('agent-tags-chips');
if (tagsChips) { if (tagsChips) {
tagsChips.innerHTML = tags.map((t) => tagsChips.innerHTML = tags.map((t) =>
`<span class="tag-chip">${t}<button type="button" data-tag="${t}" class="tag-remove" aria-label="Remover tag ${t}">×</button></span>` `<span class="tag-chip">${Utils.escapeHtml(t)}<button type="button" data-tag="${Utils.escapeHtml(t)}" class="tag-remove" aria-label="Remover tag ${Utils.escapeHtml(t)}">×</button></span>`
).join(''); ).join('');
} }

2
public/js/components/modal.js
View File

@@ -69,7 +69,7 @@ const Modal = {
const inputEl = document.getElementById('prompt-modal-input'); const inputEl = document.getElementById('prompt-modal-input');
if (titleEl) titleEl.textContent = title; if (titleEl) titleEl.textContent = title;
if (messageEl) messageEl.innerHTML = message; if (messageEl) messageEl.textContent = message;
if (inputEl) inputEl.value = defaultValue; if (inputEl) inputEl.value = defaultValue;
Modal.open('prompt-modal-overlay'); Modal.open('prompt-modal-overlay');

2
public/js/components/schedules.js
View File

@@ -47,7 +47,7 @@ const SchedulesUI = {
<td>${Utils.escapeHtml(schedule.agentName || '—')}</td> <td>${Utils.escapeHtml(schedule.agentName || '—')}</td>
<td class="schedule-task-cell" title="${Utils.escapeHtml(schedule.taskDescription || '')}">${Utils.escapeHtml(schedule.taskDescription || '—')}</td> <td class="schedule-task-cell" title="${Utils.escapeHtml(schedule.taskDescription || '')}">${Utils.escapeHtml(schedule.taskDescription || '—')}</td>
<td> <td>
<code class="font-mono">${cronExpr}</code> <code class="font-mono">${Utils.escapeHtml(cronExpr)}</code>
</td> </td>
<td>${nextRun}</td> <td>${nextRun}</td>
<td><span class="badge ${statusClass}">${statusLabel}</span></td> <td><span class="badge ${statusClass}">${statusLabel}</span></td>

2
public/js/components/toast.js
View File

@@ -24,7 +24,7 @@ const Toast = {
toast.innerHTML = ` toast.innerHTML = `
<span class="toast-icon" data-lucide="${iconName}"></span> <span class="toast-icon" data-lucide="${iconName}"></span>
<span class="toast-message">${message}</span> <span class="toast-message">${Utils.escapeHtml(message)}</span>
<button class="toast-close" aria-label="Fechar notificação"> <button class="toast-close" aria-label="Fechar notificação">
<i data-lucide="x"></i> <i data-lucide="x"></i>
</button> </button>