From 19344f0584d4d6d4526fdf331adc60530e3f685b Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Thu, 18 Apr 2024 21:45:30 -0500
Subject: [PATCH] Fix JS injection in Service Templates (#15954)

You can't put user data in any "onwhatever" attributes, there is no way to sanitize it there.
Use data attributes instead.
---
 .../views/service-template/index.blade.php    | 62 ++++++++++++++-----
 1 file changed, 45 insertions(+), 17 deletions(-)

diff --git a/resources/views/service-template/index.blade.php b/resources/views/service-template/index.blade.php
index 50f11c63dc31..8843bbe6e3a6 100644
--- a/resources/views/service-template/index.blade.php
+++ b/resources/views/service-template/index.blade.php
@@ -17,7 +17,7 @@
                         <i class="fa fa-plus"></i> {{ __('New Service Template') }}
                     </a>
                     <button type="button" title="{{ __('Apply Service Templates') }}" class="btn btn-success" aria-label="{{ __('Apply Service Templates') }}"
-                            onclick="applyAll_st(this, '{{ route('services.templates.applyAll') }}')">
+                            onclick="applyAll_st(this)">
                         <i
                             class="fa fa-refresh" aria-hidden="true"></i> {{ __('Apply Service Templates') }}</button>
                 </div>
@@ -49,18 +49,32 @@ class="fa fa-refresh" aria-hidden="true"></i> {{ __('Apply Service Templates') }
                             <td>{{ __(ucfirst($template->type)) }}</td>
                             <td>{{ $template->type == 'dynamic' ? $template->getDeviceParser()->toSql(false) : '' }}</td>
                             <td>
-                                <button type="button" title="{{ __('Apply Services for this Service Template') }}" class="btn btn-success btn-sm" aria-label="{{ __('Apply') }}"
-                                    onclick="apply_st(this, '{{ $template->name }}', '{{ $template->id }}', '{{ route('services.templates.apply', $template->id) }}')">
-                                    <i class="fa fa-refresh" aria-hidden="true"></i></button>
-                                <button type="button" title="{{ __('Remove Services for this Service Template') }}" class="btn btn-warning btn-sm" aria-label="{{ __('Remove') }}"
-                                    onclick="remove_st(this, '{{ $template->name }}', '{{ $template->id }}', '{{ route('services.templates.remove', $template->id) }}')">
-                                    <i class="fa fa-ban" aria-hidden="true"></i></button>
-                                <a type="button" title="{{ __('Edit Service Template') }}" class="btn btn-primary btn-sm" aria-label="{{ __('Edit') }}"
-                                    href="{{ route('services.templates.edit', $template->id) }}">
-                                    <i class="fa fa-pencil" aria-hidden="true"></i></a>
-                                <button type="button" class="btn btn-danger btn-sm" title="{{ __('Delete Service Template') }}" aria-label="{{ __('Delete') }}"
-                                    onclick="delete_st(this, '{{ $template->name }}', '{{ $template->id }}', '{{ route('services.templates.destroy', $template->id) }}')">
-                                    <i class="fa fa-trash" aria-hidden="true"></i></button>
+                                <button type="button" title="{{ __('Apply Services for this Service Template') }}"
+                                        class="btn btn-success btn-sm" aria-label="{{ __('Apply') }}"
+                                        data-template-name="{{ $template->name }}"
+                                        data-template-id="{{ $template->id }}"
+                                        onclick="apply_st(this)">
+                                    <i class="fa fa-refresh" aria-hidden="true"></i>
+                                </button>
+                                <button type="button" title="{{ __('Remove Services for this Service Template') }}"
+                                        class="btn btn-warning btn-sm" aria-label="{{ __('Remove') }}"
+                                        data-template-name="{{ $template->name }}"
+                                        data-template-id="{{ $template->id }}"
+                                        onclick="remove_st(this)">
+                                    <i class="fa fa-ban" aria-hidden="true"></i>
+                                </button>
+                                <a type="button" title="{{ __('Edit Service Template') }}"
+                                   class="btn btn-primary btn-sm" aria-label="{{ __('Edit') }}"
+                                   href="{{ route('services.templates.edit', $template->id) }}">
+                                    <i class="fa fa-pencil" aria-hidden="true"></i>
+                                </a>
+                                <button type="button" class="btn btn-danger btn-sm"
+                                        title="{{ __('Delete Service Template') }}" aria-label="{{ __('Delete') }}"
+                                        data-template-name="{{ $template->name }}"
+                                        data-template-id="{{ $template->id }}"
+                                        onclick="delete_st(this)">
+                                    <i class="fa fa-trash" aria-hidden="true"></i>
+                                </button>
                             </td>
                         </tr>
                     @endforeach
@@ -151,7 +165,11 @@ class="fa fa-refresh" aria-hidden="true"></i> {{ __('Apply Service Templates') }
 
 @section('scripts')
     <script>
-        function apply_st(button, name, id, url) {
+        function apply_st(button) {
+            var id = button.dataset.templateId;
+            var name = button.dataset.templateName;
+            var url = "{{ route('services.templates.apply', ':template-id') }}".replace(':template-id', id);
+
             if (confirm('{{ __('Are you sure you want to create Services for ') }}' + name + '?')) {
                 $.ajax({
                     url: url,
@@ -165,7 +183,9 @@ function apply_st(button, name, id, url) {
                 });
             }
         }
-        function applyAll_st(button, url) {
+        function applyAll_st(button) {
+            var url = "{{ route('services.templates.applyAll') }}";
+
             if (confirm('{{ __('Are you sure you want to Apply All Service Templates?') }}')) {
                 $.ajax({
                     url: url,
@@ -179,7 +199,11 @@ function applyAll_st(button, url) {
                 });
             }
         }
-        function remove_st(button, name, id, url) {
+        function remove_st(button) {
+            var id = button.dataset.templateId;
+            var name = button.dataset.templateName;
+            var url = "{{ route('services.templates.remove', ':template-id') }}".replace(':template-id', id);
+
             if (confirm('{{ __('Are you sure you want to remove all Services created by ') }}' + name + '?')) {
                 $.ajax({
                     url: url,
@@ -195,8 +219,12 @@ function remove_st(button, name, id, url) {
 
             return false;
         }
-        function delete_st(button, name, id, url) {
+        function delete_st(button) {
             var index = button.parentNode.parentNode.rowIndex;
+            var id = button.dataset.templateId;
+            var name = button.dataset.templateName;
+            var url = "{{ route('services.templates.destroy', ':template-id') }}".replace(':template-id', id);
+
             if (confirm('{{ __('Are you sure you want to delete AND remove all Services created by ') }}' + name + '?')) {
                 $.ajax({
                     url: url,