Mercurial > kallithea
changeset 7539:22da5f258118
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when loading a PR page.
To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Wed, 27 Feb 2019 02:23:26 +0100 |
parents | 74ec3a3bfdc7 |
children | 9beef1d91c4c |
files | kallithea/public/js/base.js |
diffstat | 1 files changed, 7 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/public/js/base.js Mon Feb 11 21:36:13 2019 +0100 +++ b/kallithea/public/js/base.js Wed Feb 27 02:23:26 2019 +0100 @@ -1046,16 +1046,17 @@ return matches; }; -// Highlight the snippet if it is found in the full text. +// Highlight the snippet if it is found in the full text, while escaping any existing markup. // Snippet must be lowercased already. var autocompleteHighlightMatch = function (full, snippet) { var matchindex = full.toLowerCase().indexOf(snippet); if (matchindex <0) - return full; - return full.substring(0, matchindex) + return full.html_escape(); + return full.substring(0, matchindex).html_escape() + '<span class="select2-match">' - + full.substr(matchindex, snippet.length) - + '</span>' + full.substring(matchindex + snippet.length); + + full.substr(matchindex, snippet.length).html_escape() + + '</span>' + + full.substring(matchindex + snippet.length).html_escape(); }; // Return html snippet for showing the provided gravatar url @@ -1081,7 +1082,7 @@ return '<div class="ac-container-wrap">{0}{1}</div>'.format(elem, res); } -// Custom formatter to highlight the matching letters +// Custom formatter to highlight the matching letters and do HTML escaping var autocompleteFormatter = function (oResultData, sQuery, sResultMatch) { var query; if (sQuery && sQuery.toLowerCase) // YAHOO AutoComplete