webui: fix potential XSS vulnerabilities

Escape user defined text to prevent XSS attacks. Extra precaution was taken
to escape also parts which are unlikely to contain user-defined text.

fixes CVE-2014-7850

https://fedorahosted.org/freeipa/ticket/4742

Reviewed-By: Tomas Babej <tbabej@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 094bd3da7..4bf76f8f5 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -252,12 +252,12 @@ define([
             var error_container = $('<div/>', {
                 'class': 'container facet-content facet-error'
             }).appendTo($('.app-container .content').empty());
-            error_container.append('<h1>'+name+'</h1>');
+            error_container.append($('<h1/>', { text: name }));
             var details = $('<div/>', {
                 'class': 'error-details'
             }).appendTo(error_container);
 
-            details.append('<p> Web UI got in unrecoverable state during "'+error.phase+'" phase.</p>');
+            details.append($('<p/>', { text: 'Web UI got in unrecoverable state during "' + error.phase + '" phase' }));
             if (error.name) window.console.error(error.name);
             if (error.results) {
                 var msg = error.results.message;