Changeset - 22da5f258118
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 7 years ago 2019-02-27 02:23:26
mads@kiilerich.com
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when loading a PR page.

To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
1 file changed with 7 insertions and 6 deletions:
kallithea/public/js/base.js
7
6
0 comments (0 inline, 0 general)
kallithea/public/js/base.js
Show inline comments
 
@@ -953,228 +953,229 @@ var _getIdentNode = function(n){
 

			




	
	
	
		
 
    if (typeof n == 'undefined'){

			




	
	
	
		
 
        return -1

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    if(typeof n.id != "undefined" && n.id.match('L[0-9]+')){

			




	
	
	
		
 
        return n

			




	
	
	
		
 
    }

			




	
	
	
		
 
    else{

			




	
	
	
		
 
        return _getIdentNode(n.parentNode);

			




	
	
	
		
 
    }

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
/* generate links for multi line selects that can be shown by files.html page_highlights.

			




	
	
	
		
 
 * This is a mouseup handler for hlcode from CodeHtmlFormatter and pygmentize */

			




	
	
	
		
 
var getSelectionLink = function(e) {

			




	
	
	
		
 
    //get selection from start/to nodes

			




	
	
	
		
 
    if (typeof window.getSelection != "undefined") {

			




	
	
	
		
 
        var s = window.getSelection();

			




	
	
	
		
 

			




	
	
	
		
 
        var from = _getIdentNode(s.anchorNode);

			




	
	
	
		
 
        var till = _getIdentNode(s.focusNode);

			




	
	
	
		
 

			




	
	
	
		
 
        var f_int = parseInt(from.id.replace('L',''));

			




	
	
	
		
 
        var t_int = parseInt(till.id.replace('L',''));

			




	
	
	
		
 

			




	
	
	
		
 
        var yoffset = 35;

			




	
	
	
		
 
        var ranges = [parseInt(from.id.replace('L','')), parseInt(till.id.replace('L',''))];

			




	
	
	
		
 
        if (ranges[0] > ranges[1]){

			




	
	
	
		
 
            //highlight from bottom

			




	
	
	
		
 
            yoffset = -yoffset;

			




	
	
	
		
 
            ranges = [ranges[1], ranges[0]];

			




	
	
	
		
 
        }

			




	
	
	
		
 
        var $hl_div = $('div#linktt');

			




	
	
	
		
 
        // if we select more than 2 lines

			




	
	
	
		
 
        if (ranges[0] != ranges[1]){

			




	
	
	
		
 
            if ($hl_div.length) {

			




	
	
	
		
 
                $hl_div.html('');

			




	
	
	
		
 
            } else {

			




	
	
	
		
 
                $hl_div = $('<div id="linktt" class="hl-tip-box">');

			




	
	
	
		
 
                $('body').prepend($hl_div);

			




	
	
	
		
 
            }

			




	
	
	
		
 

			




	
	
	
		
 
            $hl_div.append($('<a>').html(_TM['Selection Link']).prop('href', location.href.substring(0, location.href.indexOf('#')) + '#L' + ranges[0] + '-'+ranges[1]));

			




	
	
	
		
 
            var xy = $(till).offset();

			




	
	
	
		
 
            $hl_div.css('top', (xy.top + yoffset) + 'px').css('left', xy.left + 'px');

			




	
	
	
		
 
            $hl_div.show();

			




	
	
	
		
 
        }

			




	
	
	
		
 
        else{

			




	
	
	
		
 
            $hl_div.hide();

			




	
	
	
		
 
        }

			




	
	
	
		
 
    }

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
/**

			




	
	
	
		
 
 * Autocomplete functionality

			




	
	
	
		
 
 */

			




	
	
	
		
 

			




	
	
	
		
 
// Custom search function for the DataSource of users

			




	
	
	
		
 
var autocompleteMatchUsers = function (sQuery, myUsers) {

			




	
	
	
		
 
    // Case insensitive matching

			




	
	
	
		
 
    var query = sQuery.toLowerCase();

			




	
	
	
		
 
    var i = 0;

			




	
	
	
		
 
    var l = myUsers.length;

			




	
	
	
		
 
    var matches = [];

			




	
	
	
		
 

			




	
	
	
		
 
    // Match against each name of each contact

			




	
	
	
		
 
    for (; i < l; i++) {

			




	
	
	
		
 
        var contact = myUsers[i];

			




	
	
	
		
 
        if (((contact.fname+"").toLowerCase().indexOf(query) > -1) ||

			




	
	
	
		
 
             ((contact.lname+"").toLowerCase().indexOf(query) > -1) ||

			




	
	
	
		
 
             ((contact.nname) && ((contact.nname).toLowerCase().indexOf(query) > -1))) {

			




	
	
	
		
 
            matches[matches.length] = contact;

			




	
	
	
		
 
        }

			




	
	
	
		
 
    }

			




	
	
	
		
 
    return matches;

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
// Custom search function for the DataSource of userGroups

			




	
	
	
		
 
var autocompleteMatchGroups = function (sQuery, myGroups) {

			




	
	
	
		
 
    // Case insensitive matching

			




	
	
	
		
 
    var query = sQuery.toLowerCase();

			




	
	
	
		
 
    var i = 0;

			




	
	
	
		
 
    var l = myGroups.length;

			




	
	
	
		
 
    var matches = [];

			




	
	
	
		
 

			




	
	
	
		
 
    // Match against each name of each group

			




	
	
	
		
 
    for (; i < l; i++) {

			




	
	
	
		
 
        var matched_group = myGroups[i];

			




	
	
	
		
 
        if (matched_group.grname.toLowerCase().indexOf(query) > -1) {

			




	
	
	
		
 
            matches[matches.length] = matched_group;

			




	
	
	
		
 
        }

			




	
	
	
		
 
    }

			




	
	
	
		
 
    return matches;

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
// Highlight the snippet if it is found in the full text.

			




	
	
	
		
 
// Highlight the snippet if it is found in the full text, while escaping any existing markup.

			




	
	
	
		
 
// Snippet must be lowercased already.

			




	
	
	
		
 
var autocompleteHighlightMatch = function (full, snippet) {

			




	
	
	
		
 
    var matchindex = full.toLowerCase().indexOf(snippet);

			




	
	
	
		
 
    if (matchindex <0)

			




	
	
	
		
 
        return full;

			




	
	
	
		
 
    return full.substring(0, matchindex)

			




	
	
	
		
 
        return full.html_escape();

			




	
	
	
		
 
    return full.substring(0, matchindex).html_escape()

			




	
	
	
		
 
        + '<span class="select2-match">'

			




	
	
	
		
 
        + full.substr(matchindex, snippet.length)

			




	
	
	
		
 
        + '</span>' + full.substring(matchindex + snippet.length);

			




	
	
	
		
 
        + full.substr(matchindex, snippet.length).html_escape()

			




	
	
	
		
 
        + '</span>'

			




	
	
	
		
 
        + full.substring(matchindex + snippet.length).html_escape();

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
// Return html snippet for showing the provided gravatar url

			




	
	
	
		
 
var gravatar = function(gravatar_lnk, size, cssclass) {

			




	
	
	
		
 
    if (!gravatar_lnk) {

			




	
	
	
		
 
        return '';

			




	
	
	
		
 
    }

			




	
	
	
		
 
    if (gravatar_lnk == 'default') {

			




	
	
	
		
 
        return '<i class="icon-user {1}" style="font-size: {0}px;"></i>'.format(size, cssclass);

			




	
	
	
		
 
    }

			




	
	
	
		
 
    return ('<i class="icon-gravatar {2}"' +

			




	
	
	
		
 
            ' style="font-size: {0}px;background-image: url(\'{1}\'); background-size: {0}px"' +

			




	
	
	
		
 
            '></i>').format(size, gravatar_lnk, cssclass);

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
var autocompleteGravatar = function(res, gravatar_lnk, size, group) {

			




	
	
	
		
 
    var elem;

			




	
	
	
		
 
    if (group !== undefined) {

			




	
	
	
		
 
        elem = '<i class="perm-gravatar-ac icon-users"></i>';

			




	
	
	
		
 
    } else {

			




	
	
	
		
 
        elem = gravatar(gravatar_lnk, size, "perm-gravatar-ac");

			




	
	
	
		
 
    }

			




	
	
	
		
 
    return '<div class="ac-container-wrap">{0}{1}</div>'.format(elem, res);

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
// Custom formatter to highlight the matching letters

			




	
	
	
		
 
// Custom formatter to highlight the matching letters and do HTML escaping

			




	
	
	
		
 
var autocompleteFormatter = function (oResultData, sQuery, sResultMatch) {

			




	
	
	
		
 
    var query;

			




	
	
	
		
 
    if (sQuery && sQuery.toLowerCase) // YAHOO AutoComplete

			




	
	
	
		
 
        query = sQuery.toLowerCase();

			




	
	
	
		
 
    else if (sResultMatch && sResultMatch.term) // select2 - parameter names doesn't match

			




	
	
	
		
 
        query = sResultMatch.term.toLowerCase();

			




	
	
	
		
 

			




	
	
	
		
 
    // group

			




	
	
	
		
 
    if (oResultData.type == "group") {

			




	
	
	
		
 
        return autocompleteGravatar(

			




	
	
	
		
 
            "{0}: {1}".format(

			




	
	
	
		
 
                _TM['Group'],

			




	
	
	
		
 
                autocompleteHighlightMatch(oResultData.grname, query)),

			




	
	
	
		
 
            null, null, true);

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    // users

			




	
	
	
		
 
    if (oResultData.nname) {

			




	
	
	
		
 
        var displayname = autocompleteHighlightMatch(oResultData.nname, query);

			




	
	
	
		
 
        if (oResultData.fname && oResultData.lname) {

			




	
	
	
		
 
            displayname = "{0} {1} ({2})".format(

			




	
	
	
		
 
                autocompleteHighlightMatch(oResultData.fname, query),

			




	
	
	
		
 
                autocompleteHighlightMatch(oResultData.lname, query),

			




	
	
	
		
 
                displayname);

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
        return autocompleteGravatar(displayname, oResultData.gravatar_lnk, oResultData.gravatar_size);

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    return '';

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
var SimpleUserAutoComplete = function ($inputElement) {

			




	
	
	
		
 
    $inputElement.select2({

			




	
	
	
		
 
        formatInputTooShort: $inputElement.attr('placeholder'),

			




	
	
	
		
 
        initSelection : function (element, callback) {

			




	
	
	
		
 
            $.ajax({

			




	
	
	
		
 
                url: pyroutes.url('users_and_groups_data'),

			




	
	
	
		
 
                dataType: 'json',

			




	
	
	
		
 
                data: {

			




	
	
	
		
 
                    key: element.val()

			




	
	
	
		
 
                },

			




	
	
	
		
 
                success: function(data){

			




	
	
	
		
 
                  callback(data.results[0]);

			




	
	
	
		
 
                }

			




	
	
	
		
 
            });

			




	
	
	
		
 
        },

			




	
	
	
		
 
        minimumInputLength: 1,

			




	
	
	
		
 
        ajax: {

			




	
	
	
		
 
            url: pyroutes.url('users_and_groups_data'),

			




	
	
	
		
 
            dataType: 'json',

			




	
	
	
		
 
            data: function(term, page){

			




	
	
	
		
 
              return {

			




	
	
	
		
 
                query: term

			




	
	
	
		
 
              };

			




	
	
	
		
 
            },

			




	
	
	
		
 
            results: function (data, page){

			




	
	
	
		
 
              return data;

			




	
	
	
		
 
            },

			




	
	
	
		
 
            cache: true

			




	
	
	
		
 
        },

			




	
	
	
		
 
        formatSelection: autocompleteFormatter,

			




	
	
	
		
 
        formatResult: autocompleteFormatter,

			




	
	
	
		
 
        escapeMarkup: function(m) { return m; },

			




	
	
	
		
 
        id: function(item) { return item.nname; },

			




	
	
	
		
 
    });

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
var MembersAutoComplete = function ($inputElement, $typeElement) {

			




	
	
	
		
 

			




	
	
	
		
 
    $inputElement.select2({

			




	
	
	
		
 
        placeholder: $inputElement.attr('placeholder'),

			




	
	
	
		
 
        minimumInputLength: 1,

			




	
	
	
		
 
        ajax: {

			




	
	
	
		
 
            url: pyroutes.url('users_and_groups_data'),

			




	
	
	
		
 
            dataType: 'json',

			




	
	
	
		
 
            data: function(term, page){

			




	
	
	
		
 
              return {

			




	
	
	
		
 
                query: term,

			




	
	
	
		
 
                types: 'users,groups'

			




	
	
	
		
 
              };

			




	
	
	
		
 
            },

			




	
	
	
		
 
            results: function (data, page){

			




	
	
	
		
 
              return data;

			




	
	
	
		
 
            },

			




	
	
	
		
 
            cache: true

			




	
	
	
		
 
        },

			




	
	
	
		
 
        formatSelection: autocompleteFormatter,

			




	
	
	
		
 
        formatResult: autocompleteFormatter,

			




	
	
	
		
 
        escapeMarkup: function(m) { return m; },

			




	
	
	
		
 
        id: function(item) { return item.type == 'user' ? item.nname : item.grname },

			




	
	
	
		
 
    }).on("select2-selecting", function(e) {

			




	
	
	
		
 
        // e.choice.id is automatically used as selection value - just set the type of the selection

			




	
	
	
		
 
        $typeElement.val(e.choice.type);

			




	
	
	
		
 
    });

			




	
	
	
		
 
}

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.