Immediate fix to htmlEncode user added text (#5575)

There are likely problems remaining with the way that initCommentForm
is creating its elements. I suspect that a malformed avatar url could
be used maliciously.
This commit is contained in:
techknowlogick 2018-12-21 09:05:47 -05:00 committed by GitHub
parent 21c70e1ed2
commit af4626a270
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,5 +1,9 @@
'use strict'; 'use strict';
function htmlEncode(text) {
return jQuery('<div />').text(text).html()
}
var csrf; var csrf;
var suburl; var suburl;
@ -312,12 +316,12 @@ function initCommentForm() {
switch (input_id) { switch (input_id) {
case '#milestone_id': case '#milestone_id':
$list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' + $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
$(this).text() + '</a>'); htmlEncode($(this).text()) + '</a>');
break; break;
case '#assignee_id': case '#assignee_id':
$list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' + $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
'<img class="ui avatar image" src=' + $(this).data('avatar') + '>' + '<img class="ui avatar image" src=' + $(this).data('avatar') + '>' +
$(this).text() + '</a>'); htmlEncode($(this).text()) + '</a>');
} }
$('.ui' + select_id + '.list .no-select').addClass('hide'); $('.ui' + select_id + '.list .no-select').addClass('hide');
$(input_id).val($(this).data('id')); $(input_id).val($(this).data('id'));
@ -1456,7 +1460,7 @@ function searchUsers() {
$.each(response.data, function (i, item) { $.each(response.data, function (i, item) {
var title = item.login; var title = item.login;
if (item.full_name && item.full_name.length > 0) { if (item.full_name && item.full_name.length > 0) {
title += ' (' + item.full_name + ')'; title += ' (' + htmlEncode(item.full_name) + ')';
} }
items.push({ items.push({
title: title, title: title,
@ -2510,7 +2514,7 @@ function initTopicbar() {
if (res.topics) { if (res.topics) {
formattedResponse.success = true; formattedResponse.success = true;
for (var i=0;i < res.topics.length;i++) { for (var i=0;i < res.topics.length;i++) {
formattedResponse.results.push({"description": res.topics[i].Name, "data-value":res.topics[i].Name}) formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name})
} }
} }
@ -2631,7 +2635,7 @@ function initIssueList() {
// Parse the response from the api to work with our dropdown // Parse the response from the api to work with our dropdown
$.each(response, function(index, issue) { $.each(response, function(index, issue) {
filteredResponse.results.push({ filteredResponse.results.push({
'name' : '#' + issue.number + '&nbsp;' + issue.title, 'name' : '#' + issue.number + '&nbsp;' + htmlEncode(issue.title),
'value' : issue.id 'value' : issue.id
}); });
}); });