From 4317b3c8721c1a5f8ad49b6f7302df6ab04f1b45 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Sun, 18 Jan 2015 17:03:08 -0500 Subject: [PATCH] fixing more exposed XSS outlets in groups frontend --- public/src/client/groups/details.js | 4 ++-- public/src/client/groups/list.js | 2 +- public/src/utils.js | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/public/src/client/groups/details.js b/public/src/client/groups/details.js index 0ef47b3fd8..7ad5702a7d 100644 --- a/public/src/client/groups/details.js +++ b/public/src/client/groups/details.js @@ -134,7 +134,7 @@ define('forum/groups/details', ['iconSelect', 'vendor/colorpicker/colorpicker', }; Details.deleteGroup = function() { - bootbox.confirm('Are you sure you want to delete the group: ' + ajaxify.variables.get('group_name'), function(confirm) { + bootbox.confirm('Are you sure you want to delete the group: ' + utils.escapeHTML(ajaxify.variables.get('group_name')), function(confirm) { if (confirm) { bootbox.prompt('Please enter the name of this group in order to delete it:', function(response) { if (response === ajaxify.variables.get('group_name')) { @@ -142,7 +142,7 @@ define('forum/groups/details', ['iconSelect', 'vendor/colorpicker/colorpicker', groupName: ajaxify.variables.get('group_name') }, function(err) { if (!err) { - app.alertSuccess('[[groups:event.deleted, ' + ajaxify.variables.get('group_name') + ']]'); + app.alertSuccess('[[groups:event.deleted, ' + utils.escapeHTML(ajaxify.variables.get('group_name')) + ']]'); ajaxify.go('groups'); } else { app.alertError(err.message); diff --git a/public/src/client/groups/list.js b/public/src/client/groups/list.js index d4a92ac9aa..7022a64725 100644 --- a/public/src/client/groups/list.js +++ b/public/src/client/groups/list.js @@ -21,7 +21,7 @@ define('forum/groups/list', function() { name: name }, function(err) { if (!err) { - ajaxify.go('groups/' + name); + ajaxify.go('groups/' + encodeURIComponent(name)); } else { app.alertError(err.message); } diff --git a/public/src/utils.js b/public/src/utils.js index a3f3be9648..27a4f2e8e5 100644 --- a/public/src/utils.js +++ b/public/src/utils.js @@ -248,6 +248,10 @@ return text.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"); }, + escapeHTML: function(raw) { + return raw.replace(/&/gm,"&").replace(//gm,">"); + }, + isAndroidBrowser: function() { // http://stackoverflow.com/questions/9286355/how-to-detect-only-the-native-android-browser var nua = navigator.userAgent;