aboutsummaryrefslogtreecommitdiffstats
path: root/admportal/views/sla
diff options
context:
space:
mode:
authorRotundo, Al (ar3165) <ar3165@att.com>2019-07-31 14:46:56 +0000
committerTimoney, Dan (dt5972) <dtimoney@att.com>2019-07-31 14:31:07 -0400
commit18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/views/sla
parent33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
Added new modules to help prevent Cross Site Request Forgery
Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
Diffstat (limited to 'admportal/views/sla')
-rw-r--r--admportal/views/sla/list.ejs122
1 files changed, 58 insertions, 64 deletions
diff --git a/admportal/views/sla/list.ejs b/admportal/views/sla/list.ejs
index 10bd4f4c..575e2066 100644
--- a/admportal/views/sla/list.ejs
+++ b/admportal/views/sla/list.ejs
@@ -40,79 +40,73 @@
<div class="container-fluid">
<table id="sla" class="table table-hover table-condensed">
- <thead>
- <tr>
- <th>Module</th>
- <th>RPC</th>
- <th>Version</th>
- <th>Mode</th>
- <th>Active</th>
- <% if(priv == 'A') { %>
- <th>Activate/Deactive</th>
- <% } %>
- <th>Display</th>
- <th>XML code</th>
- <% if(priv=='A') { %>
- <th>Delete</th>
- <% } %>
- </tr>
- </thead>
- <tbody>
- <% var i=0; rows.forEach( function(row) { %>
- <tr>
- <td><%= row.module %></td>
- <td><%= row.rpc %></td>
- <td><%= row.version %></td>
- <td><%= row.mode %></td>
- <td><%= row.active %></td>
- <% if ( priv == 'A' ) {
- if (row.active == "Y") { %>
- <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('deactivate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Deactivate</button> </td>
- <% } else { %>
- <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('activate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Activate</button></td>
- <% } %>
- <% } %>
- <td>
- <button type="button" class="btn btn-default btn-xs"
- onclick='location.assign("/sla/printAsGv?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>Display</button>
- </td>
- <td>
- <button type="button" class="btn btn-default btn-xs"
- onclick='location.assign("/sla/printAsXml?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>XML code</button>
- </td>
- <% if ( priv == 'A' ) { %>
- <td>
- <button type="button" class="btn btn-default btn-xs"
+ <thead>
+ <tr>
+ <th>Module</th>
+ <th>RPC</th>
+ <th>Version</th>
+ <th>Mode</th>
+ <th>Active</th>
+ <% if(priv == 'A') { %>
+ <th>Activate/Deactive</th>
+ <% } %>
+ <th>XML code</th>
+ <% if(priv=='A') { %>
+ <th>Delete</th>
+ <% } %>
+ </tr>
+ </thead>
+ <tbody>
+ <% var i=0; rows.forEach( function(row) { %>
+ <tr>
+ <td><%= row.module %></td>
+ <td><%= row.rpc %></td>
+ <td><%= row.version %></td>
+ <td><%= row.mode %></td>
+ <td><%= row.active %></td>
+ <% if ( priv == 'A' ) {
+ if (row.active == "Y") { %>
+ <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('deactivate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Deactivate</button> </td>
+ <% } else { %>
+ <td><button type="button" class="btn btn-default btn-xs" onclick="toggleState('activate','<%= row.module %>','<%= row.rpc %>','<%= row.version %>','<%= row.mode %>');" >Activate</button></td>
+ <% } %>
+ <% } %>
+ <td>
+ <button type="button" class="btn btn-default btn-xs"
+ onclick='location.assign("/sla/printAsXml?module=<%= row.module %>&rpc=<%= row.rpc %>&version=<%= row.version %>&mode=<%= row.mode %>");'>XML code</button>
+ </td>
+ <% if ( priv == 'A' ) { %>
+ <td>
+ <button type="button" class="btn btn-default btn-xs"
onclick="deleteGraph('<%=row.module %>',
- '<%=row.rpc %>', '<%=row.version %>','<%=row.mode %>');">Delete</button>
- </td>
- <% } %>
- </tr>
- <% i++; }); %>
- </tbody>
- </table>
+ '<%=row.rpc %>', '<%=row.version %>','<%=row.mode %>');">Delete</button>
+ </td>
+ <% } %>
+ </tr>
+ <% i++; }); %>
+ </tbody>
+ </table>
<% if(priv == 'A') { %>
<div class="actions" style="padding:0px 25px;">
<form method="POST" action="/sla/upload" enctype="multipart/form-data">
<div class="form-group">
- <label for="dest">File input</label>
- <input name="filename" type="file" id="dest">
- <p class="help-block">Choose a file to upload.</p>
- </div>
- <%
- if ( priv == 'A' )
- {
- %>
- <button type="button" class="btn btn-default"
- onclick="uploadFile(this.form);">Upload File</button>
- <% } else { %>
- <button type="button" class="btn btn-default disabled"
- onclick="uploadFile(this.form);">Upload File</button>
- <% } %>
+ <label for="dest">File input</label>
+ <input name="filename" type="file" id="dest" />
+ <input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+ <p class="help-block">Choose a file to upload.</p>
+ </div>
+ <% if ( priv == 'A' ) { %>
+ <button type="button" class="btn btn-default"
+ onclick="uploadFile(this.form);">Upload File</button>
+ <% } else { %>
+ <button type="button" class="btn btn-default disabled"
+ onclick="uploadFile(this.form);">Upload File</button>
+ <% } %>
</form>
</div>
<% } %>
+
</div>