From 599ccdc43c584fee6d0a238133f1e0d1117b33d8 Mon Sep 17 00:00:00 2001 From: dashevchenko Date: Tue, 12 Aug 2025 18:30:42 +0300 Subject: [PATCH 1/3] added NoXss validation --- .../server/common/data/mobile/bundle/MobileAppBundle.java | 3 +++ .../server/common/data/notification/rule/NotificationRule.java | 1 + .../common/data/notification/rule/NotificationRuleConfig.java | 2 ++ .../template/DeliveryMethodNotificationTemplate.java | 2 ++ 4 files changed, 8 insertions(+) diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/mobile/bundle/MobileAppBundle.java b/common/data/src/main/java/org/thingsboard/server/common/data/mobile/bundle/MobileAppBundle.java index 2190972d7e..b023ba89c3 100644 --- a/common/data/src/main/java/org/thingsboard/server/common/data/mobile/bundle/MobileAppBundle.java +++ b/common/data/src/main/java/org/thingsboard/server/common/data/mobile/bundle/MobileAppBundle.java @@ -30,6 +30,7 @@ import org.thingsboard.server.common.data.id.MobileAppId; import org.thingsboard.server.common.data.id.TenantId; import org.thingsboard.server.common.data.mobile.layout.MobileLayoutConfig; import org.thingsboard.server.common.data.validation.Length; +import org.thingsboard.server.common.data.validation.NoXss; @EqualsAndHashCode(callSuper = true) @Data @@ -40,9 +41,11 @@ public class MobileAppBundle extends BaseData implements HasT private TenantId tenantId; @Schema(description = "Application bundle title. Cannot be empty", requiredMode = Schema.RequiredMode.REQUIRED) @NotBlank + @NoXss @Length(fieldName = "title") private String title; @Schema(description = "Application bundle description.") + @NoXss @Length(fieldName = "description") private String description; @Schema(description = "Android application id") diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRule.java b/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRule.java index 81b5e0ccfb..fe87e0f966 100644 --- a/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRule.java +++ b/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRule.java @@ -62,6 +62,7 @@ public class NotificationRule extends BaseData implements Ha @Valid private NotificationRuleRecipientsConfig recipientsConfig; + @Valid private NotificationRuleConfig additionalConfig; private NotificationRuleId externalId; diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRuleConfig.java b/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRuleConfig.java index 9103086b7c..013c0ae662 100644 --- a/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRuleConfig.java +++ b/common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRuleConfig.java @@ -16,12 +16,14 @@ package org.thingsboard.server.common.data.notification.rule; import lombok.Data; +import org.thingsboard.server.common.data.validation.NoXss; import java.io.Serializable; @Data public class NotificationRuleConfig implements Serializable { + @NoXss private String description; } diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java b/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java index e660d49bca..d9b9df0fdf 100644 --- a/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java +++ b/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java @@ -24,6 +24,7 @@ import jakarta.validation.constraints.NotEmpty; import lombok.Data; import lombok.NoArgsConstructor; import org.thingsboard.server.common.data.notification.NotificationDeliveryMethod; +import org.thingsboard.server.common.data.validation.NoXss; import java.util.List; @@ -43,6 +44,7 @@ public abstract class DeliveryMethodNotificationTemplate { private boolean enabled; @NotEmpty + @NoXss protected String body; public DeliveryMethodNotificationTemplate(DeliveryMethodNotificationTemplate other) { From 33df79cd12d5fa6b45e8da3247554f656494c468 Mon Sep 17 00:00:00 2001 From: dashevchenko Date: Wed, 13 Aug 2025 11:19:16 +0300 Subject: [PATCH 2/3] added sanitize for widget action name on delete --- .../widget/action/manage-widget-actions.component.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts b/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts index a9b9d207d0..01404f7c6e 100644 --- a/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts +++ b/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts @@ -24,6 +24,7 @@ import { NgZone, OnDestroy, OnInit, + SecurityContext, ViewChild } from '@angular/core'; import { ControlValueAccessor, NG_VALUE_ACCESSOR } from '@angular/forms'; @@ -53,6 +54,7 @@ import { import { deepClone } from '@core/utils'; import { hidePageSizePixelValue } from '@shared/models/constants'; import { CdkDragDrop, moveItemInArray } from '@angular/cdk/drag-drop'; +import { DomSanitizer } from '@angular/platform-browser'; @Component({ selector: 'tb-manage-widget-actions', @@ -106,7 +108,8 @@ export class ManageWidgetActionsComponent extends PageComponent implements OnIni private dialogs: DialogService, private cd: ChangeDetectorRef, private elementRef: ElementRef, - private zone: NgZone) { + private zone: NgZone, + private sanitizer: DomSanitizer) { super(); const sortOrder: SortOrder = { property: 'actionSourceName', direction: Direction.ASC }; this.pageLink = new PageLink(10, 0, null, sortOrder); @@ -289,7 +292,8 @@ export class ManageWidgetActionsComponent extends PageComponent implements OnIni } const title = this.translate.instant('widget-config.delete-action-title'); const content = this.translate.instant('widget-config.delete-action-text', {actionName: action.name}); - this.dialogs.confirm(title, content, + const safeContent = this.sanitizer.sanitize(SecurityContext.HTML, content); + this.dialogs.confirm(title, safeContent, this.translate.instant('action.no'), this.translate.instant('action.yes'), true).subscribe( (res) => { From 1984615d5ac1a2fee2801b45275bd9e91704ebf9 Mon Sep 17 00:00:00 2001 From: dashevchenko Date: Wed, 24 Sep 2025 11:45:18 +0300 Subject: [PATCH 3/3] rolled back @Noxss for body that can contain html --- .../template/DeliveryMethodNotificationTemplate.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java b/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java index d9b9df0fdf..e660d49bca 100644 --- a/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java +++ b/common/data/src/main/java/org/thingsboard/server/common/data/notification/template/DeliveryMethodNotificationTemplate.java @@ -24,7 +24,6 @@ import jakarta.validation.constraints.NotEmpty; import lombok.Data; import lombok.NoArgsConstructor; import org.thingsboard.server.common.data.notification.NotificationDeliveryMethod; -import org.thingsboard.server.common.data.validation.NoXss; import java.util.List; @@ -44,7 +43,6 @@ public abstract class DeliveryMethodNotificationTemplate { private boolean enabled; @NotEmpty - @NoXss protected String body; public DeliveryMethodNotificationTemplate(DeliveryMethodNotificationTemplate other) {