Changeset - 429c2c8a4354
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 7 years ago 2019-02-27 02:23:26
mads@kiilerich.com
pullrequests: prevent XSS in @mention completion when first and last names cannot be trusted

atwho used in MentionsAutoComplete is passing raw user controlled data which
might contain HTML markup.

That could cause XSS issues when completion hit a rogue user name.

To avoid that, make sure displayTpl always escape user information, as
recommended in https://github.com/ichord/At.js/issues/334 .
1 file changed with 7 insertions and 1 deletions:
kallithea/public/js/base.js
7
1
0 comments (0 inline, 0 general)
kallithea/public/js/base.js
Show inline comments
 
@@ -1177,49 +1177,55 @@ var MembersAutoComplete = function ($inp
 
        $typeElement.val(e.choice.type);
 
    });
 
}
 

			




	
	
	
		
 
var MentionsAutoComplete = function ($inputElement) {

			




	
	
	
		
 
  $inputElement.atwho({

			




	
	
	
		
 
    at: "@",

			




	
	
	
		
 
    callbacks: {

			




	
	
	
		
 
      remoteFilter: function(query, callback) {

			




	
	
	
		
 
        $.getJSON(

			




	
	
	
		
 
          pyroutes.url('users_and_groups_data'),

			




	
	
	
		
 
          {

			




	
	
	
		
 
            query: query,

			




	
	
	
		
 
            types: 'users'

			




	
	
	
		
 
          },

			




	
	
	
		
 
          function(data) {

			




	
	
	
		
 
            callback(data.results)

			




	
	
	
		
 
          }

			




	
	
	
		
 
        );

			




	
	
	
		
 
      },

			




	
	
	
		
 
      sorter: function(query, items, searchKey) {

			




	
	
	
		
 
        return items;

			




	
	
	
		
 
      }

			




	
	
	
		
 
    },

			




	
	
	
		
 
    displayTpl: "<li>" + autocompleteGravatar('${fname} ${lname} (${nname})', '${gravatar_lnk}', 16) + "</li>",

			




	
	
	
		
 
    displayTpl: function(item) {

			




	
	
	
		
 
        return "<li>" +

			




	
	
	
		
 
            autocompleteGravatar(

			




	
	
	
		
 
                "{0} {1} ({2})".format(item.fname, item.lname, item.nname).html_escape(),

			




	
	
	
		
 
                '${gravatar_lnk}', 16) +

			




	
	
	
		
 
            "</li>";

			




	
	
	
		
 
    },

			




	
	
	
		
 
    insertTpl: "${atwho-at}${nname}"

			




	
	
	
		
 
  });

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
// Set caret at the given position in the input element

			




	
	
	
		
 
function _setCaretPosition($inputElement, caretPos) {

			




	
	
	
		
 
    $inputElement.each(function(){

			




	
	
	
		
 
        if(this.createTextRange) { // IE

			




	
	
	
		
 
            var range = this.createTextRange();

			




	
	
	
		
 
            range.move('character', caretPos);

			




	
	
	
		
 
            range.select();

			




	
	
	
		
 
        }

			




	
	
	
		
 
        else if(this.selectionStart) { // other recent browsers

			




	
	
	
		
 
            this.focus();

			




	
	
	
		
 
            this.setSelectionRange(caretPos, caretPos);

			




	
	
	
		
 
        }

			




	
	
	
		
 
        else // last resort - very old browser

			




	
	
	
		
 
            this.focus();

			




	
	
	
		
 
    });

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
var addReviewMember = function(id,fname,lname,nname,gravatar_link,gravatar_size){

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.