Immediate fix to htmlEncode user added text (#5570)
There are likely problems remaining with the way that initCommentForm is creating its elements. I suspect that a malformed avatar url could be used maliciously.
This commit is contained in:
		
					parent
					
						
							
								4a02a783c4
							
						
					
				
			
			
				commit
				
					
						330bf8d3b3
					
				
			
		
					 1 changed files with 9 additions and 5 deletions
				
			
		|  | @ -1,5 +1,9 @@ | ||||||
| 'use strict'; | 'use strict'; | ||||||
| 
 | 
 | ||||||
|  | function htmlEncode(text) { | ||||||
|  |    return jQuery('<div />').text(text).html() | ||||||
|  | } | ||||||
|  | 
 | ||||||
| var csrf; | var csrf; | ||||||
| var suburl; | var suburl; | ||||||
| 
 | 
 | ||||||
|  | @ -394,12 +398,12 @@ function initCommentForm() { | ||||||
|             switch (input_id) { |             switch (input_id) { | ||||||
|                 case '#milestone_id': |                 case '#milestone_id': | ||||||
|                     $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' + |                     $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' + | ||||||
|                         $(this).text() + '</a>'); |                         htmlEncode($(this).text()) + '</a>'); | ||||||
|                     break; |                     break; | ||||||
|                 case '#assignee_id': |                 case '#assignee_id': | ||||||
|                     $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' + |                     $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' + | ||||||
|                         '<img class="ui avatar image" src=' + $(this).data('avatar') + '>' + |                         '<img class="ui avatar image" src=' + $(this).data('avatar') + '>' + | ||||||
|                         $(this).text() + '</a>'); |                         htmlEncode($(this).text()) + '</a>'); | ||||||
|             } |             } | ||||||
|             $('.ui' + select_id + '.list .no-select').addClass('hide'); |             $('.ui' + select_id + '.list .no-select').addClass('hide'); | ||||||
|             $(input_id).val($(this).data('id')); |             $(input_id).val($(this).data('id')); | ||||||
|  | @ -1538,7 +1542,7 @@ function searchUsers() { | ||||||
|                 $.each(response.data, function (i, item) { |                 $.each(response.data, function (i, item) { | ||||||
|                     var title = item.login; |                     var title = item.login; | ||||||
|                     if (item.full_name && item.full_name.length > 0) { |                     if (item.full_name && item.full_name.length > 0) { | ||||||
|                         title += ' (' + item.full_name + ')'; |                         title += ' (' + htmlEncode(item.full_name) + ')'; | ||||||
|                     } |                     } | ||||||
|                     items.push({ |                     items.push({ | ||||||
|                         title: title, |                         title: title, | ||||||
|  | @ -2692,7 +2696,7 @@ function initTopicbar() { | ||||||
|                 if (res.topics) { |                 if (res.topics) { | ||||||
|                     formattedResponse.success = true; |                     formattedResponse.success = true; | ||||||
|                     for (var i=0;i < res.topics.length;i++) { |                     for (var i=0;i < res.topics.length;i++) { | ||||||
|                         formattedResponse.results.push({"description": res.topics[i].Name, "data-value":res.topics[i].Name}) |                         formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name}) | ||||||
|                     } |                     } | ||||||
|                 } |                 } | ||||||
| 
 | 
 | ||||||
|  | @ -2813,7 +2817,7 @@ function initIssueList() { | ||||||
|                     // Parse the response from the api to work with our dropdown
 |                     // Parse the response from the api to work with our dropdown
 | ||||||
|                     $.each(response, function(index, issue) { |                     $.each(response, function(index, issue) { | ||||||
|                         filteredResponse.results.push({ |                         filteredResponse.results.push({ | ||||||
|                             'name'  : '#' + issue.number + ' ' + issue.title, |                             'name'  : '#' + issue.number + ' ' + htmlEncode(issue.title), | ||||||
|                             'value' : issue.id |                             'value' : issue.id | ||||||
|                         }); |                         }); | ||||||
|                     }); |                     }); | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 zeripath
				zeripath