XSS vulnerability in the admin tool #214
Description
I stumbled across some cross-site-scripting (XSS) vulnerabilities in the admin tool related to how we weren't escaping user account information when displaying it (mainly in the table listings).
I've stepped through all the places in the admin where we display user information, and I think all of these issues should be properly escaped and tested now. I've also ensured that all other similar content is escaped, even if it's not necessarily user-submitted content, just to be doubly safe.
Most of this stemmed from my bad assumption that DataTables escaped content is was displaying from JSON sources, but that is not the case. This didn't use to be an issue due to how the tables were previously generated, but since more of the admin tables have been switched over to use DataTables, this is why this had become an issue.
To ensure that this vulnerability had not actually been exploited, I've also audited all of our existing user data to ensure that nobody had previously taken advantage of this vulnerability without us knowing. The good news is that there isn't any fishy content in our database, so I don't think we have to worry about anyone having done anything malicious.
This was fixed by NREL/api-umbrella-web@f53a9fb and NREL/api-umbrella-web@bcc0e92