Changeset - 22da5f258118
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 7 years ago 2019-02-27 02:23:26
mads@kiilerich.com
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when loading a PR page.

To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
1 file changed with 7 insertions and 6 deletions:
kallithea/public/js/base.js
7
6
0 comments (0 inline, 0 general)
kallithea/public/js/base.js
Show inline comments
 
@@ -1043,22 +1043,23 @@ var autocompleteMatchGroups = function (
 
            matches[matches.length] = matched_group;
 
        }
 
    }
 
    return matches;
 
};
 

			




	
	
	
		
 
// Highlight the snippet if it is found in the full text.

			




	
	
	
		
 
// Highlight the snippet if it is found in the full text, while escaping any existing markup.

			




	
	
	
		
 
// Snippet must be lowercased already.

			




	
	
	
		
 
var autocompleteHighlightMatch = function (full, snippet) {

			




	
	
	
		
 
    var matchindex = full.toLowerCase().indexOf(snippet);

			




	
	
	
		
 
    if (matchindex <0)

			




	
	
	
		
 
        return full;

			




	
	
	
		
 
    return full.substring(0, matchindex)

			




	
	
	
		
 
        return full.html_escape();

			




	
	
	
		
 
    return full.substring(0, matchindex).html_escape()

			




	
	
	
		
 
        + '<span class="select2-match">'

			




	
	
	
		
 
        + full.substr(matchindex, snippet.length)

			




	
	
	
		
 
        + '</span>' + full.substring(matchindex + snippet.length);

			




	
	
	
		
 
        + full.substr(matchindex, snippet.length).html_escape()

			




	
	
	
		
 
        + '</span>'

			




	
	
	
		
 
        + full.substring(matchindex + snippet.length).html_escape();

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
// Return html snippet for showing the provided gravatar url

			




	
	
	
		
 
var gravatar = function(gravatar_lnk, size, cssclass) {

			




	
	
	
		
 
    if (!gravatar_lnk) {

			




	
	
	
		
 
        return '';

			




	
	
		
 
@@ -1078,13 +1079,13 @@ var autocompleteGravatar = function(res,

			




	
	
	
		
 
    } else {

			




	
	
	
		
 
        elem = gravatar(gravatar_lnk, size, "perm-gravatar-ac");

			




	
	
	
		
 
    }

			




	
	
	
		
 
    return '<div class="ac-container-wrap">{0}{1}</div>'.format(elem, res);

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
// Custom formatter to highlight the matching letters

			




	
	
	
		
 
// Custom formatter to highlight the matching letters and do HTML escaping

			




	
	
	
		
 
var autocompleteFormatter = function (oResultData, sQuery, sResultMatch) {

			




	
	
	
		
 
    var query;

			




	
	
	
		
 
    if (sQuery && sQuery.toLowerCase) // YAHOO AutoComplete

			




	
	
	
		
 
        query = sQuery.toLowerCase();

			




	
	
	
		
 
    else if (sResultMatch && sResultMatch.term) // select2 - parameter names doesn't match

			




	
	
	
		
 
        query = sResultMatch.term.toLowerCase();

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.