From 39562e0633a2472d50f7f33e69c36da4ad1fbfa3 Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Wed, 28 Jun 2023 11:26:43 +0100
Subject: [PATCH] avoid CSS vulnerability in Job Queue page

---
 share/public/css/netdisco.css          | 5 +++--
 share/views/ajax/admintask/jobqueue.tt | 2 +-
 share/views/js/admintask.js            | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/share/public/css/netdisco.css b/share/public/css/netdisco.css
index 8b8234e1..b9405e96 100644
--- a/share/public/css/netdisco.css
+++ b/share/public/css/netdisco.css
@@ -103,8 +103,9 @@ div.content > div.tab-content table.nd_floatinghead thead {
 }
 
 .qtip-content {
-  padding-bottom: 0px;
-  line-height: 8px;
+  font-size: 15px;
+  font-family: monospace;
+  white-space: pre;
 }
 
 /* for where min-width is set but we don't want it */
diff --git a/share/views/ajax/admintask/jobqueue.tt b/share/views/ajax/admintask/jobqueue.tt
index f7f26391..41864ec0 100644
--- a/share/views/ajax/admintask/jobqueue.tt
+++ b/share/views/ajax/admintask/jobqueue.tt
@@ -22,7 +22,7 @@
       [% ' class="nd_jobqueueitem success"' IF row.status == 'done' %]
       [% ' class="nd_jobqueueitem error"'   IF row.status == 'error' %]
       [% ' class="nd_jobqueueitem info"'    IF row.status.search('^queued-') %]
-      data-content="<pre>[% row.log | html_entity %]</pre>"
+      data-content="[% row.log | html_entity %]"
     >
       <td class="nd_center-cell">[% row.entered_stamp | html_entity %]</td>
       <td class="nd_center-cell">
diff --git a/share/views/js/admintask.js b/share/views/js/admintask.js
index e41aff1a..28573ead 100644
--- a/share/views/js/admintask.js
+++ b/share/views/js/admintask.js
@@ -184,7 +184,7 @@
       $(this).qtip({
         overwrite: false,
         content: {
-          attr: 'data-content'
+          text: $('<span/>').text( $(this).attr("data-content") ).html()
         },
         show: {
           event: event.type,