web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix potential XSS issues if CSP is badly configured

Browse Source
This commit is contained in:
yflory 2019-08-27 12:03:25 +02:00
parent c62e279224
commit 76410b479b
1 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
www/common/notifications.js
View File

@ -4,10 +4,11 @@ define([
'/common/common-hash.js', '/common/common-hash.js',
'/common/common-interface.js', '/common/common-interface.js',
'/common/common-ui-elements.js', '/common/common-ui-elements.js',
'/common/common-util.js',
'/common/common-constants.js', '/common/common-constants.js',
'/customize/messages.js', '/customize/messages.js',
'/bower_components/nthen/index.js' '/bower_components/nthen/index.js'
], function ($, h, Hash, UI, UIElements, Constants, Messages, nThen) { ], function ($, h, Hash, UI, UIElements, Util, Constants, Messages, nThen) {
var handlers = {}; var handlers = {};
@ -28,10 +29,11 @@ define([
handlers['FRIEND_REQUEST'] = function (common, data) { handlers['FRIEND_REQUEST'] = function (common, data) {
var content = data.content; var content = data.content;
var msg = content.msg; var msg = content.msg;
var name = Util.fixHTML(msg.content.displayName) || Messages.anonymous;
// Display the notification // Display the notification
content.getFormatText = function () { content.getFormatText = function () {
return Messages._getKey('friendRequest_notification', [msg.content.displayName || Messages.anonymous]); return Messages._getKey('friendRequest_notification', [name]);
}; };
// Check authenticity // Check authenticity
@ -49,8 +51,9 @@ define([
handlers['FRIEND_REQUEST_ACCEPTED'] = function (common, data) { handlers['FRIEND_REQUEST_ACCEPTED'] = function (common, data) {
var content = data.content; var content = data.content;
var msg = content.msg; var msg = content.msg;
var name = Util.fixHTML(msg.content.name) || Messages.anonymous;
content.getFormatText = function () { content.getFormatText = function () {
return Messages._getKey('friendRequest_accepted', [msg.content.name || Messages.anonymous]); return Messages._getKey('friendRequest_accepted', [name]);
}; };
if (!content.archived) { if (!content.archived) {
content.dismissHandler = defaultDismiss(common, data); content.dismissHandler = defaultDismiss(common, data);
@ -60,8 +63,9 @@ define([
handlers['FRIEND_REQUEST_DECLINED'] = function (common, data) { handlers['FRIEND_REQUEST_DECLINED'] = function (common, data) {
var content = data.content; var content = data.content;
var msg = content.msg; var msg = content.msg;
var name = Util.fixHTML(msg.content.name) || Messages.anonymous;
content.getFormatText = function () { content.getFormatText = function () {
return Messages._getKey('friendRequest_declined', [msg.content.name || Messages.anonymous]); return Messages._getKey('friendRequest_declined', [name]);
}; };
if (!content.archived) { if (!content.archived) {
content.dismissHandler = defaultDismiss(common, data); content.dismissHandler = defaultDismiss(common, data);
@ -77,8 +81,10 @@ define([
var key = type === 'drive' ? 'notification_folderShared' : var key = type === 'drive' ? 'notification_folderShared' :
(type === 'file' ? 'notification_fileShared' : (type === 'file' ? 'notification_fileShared' :
'notification_padShared'); 'notification_padShared');
var name = Util.fixHTML(msg.content.name) || Messages.anonymous;
var title = Util.fixHTML(msg.content.title);
content.getFormatText = function () { content.getFormatText = function () {
return Messages._getKey(key, [msg.content.name || Messages.anonymous, msg.content.title]); return Messages._getKey(key, [name, title]);
}; };
content.handler = function () { content.handler = function () {
var todo = function () { var todo = function () {
@ -121,8 +127,10 @@ define([
if (msg.author !== msg.content.user.curvePublic) { return; } if (msg.author !== msg.content.user.curvePublic) { return; }
// Display the notification // Display the notification
var name = Util.fixHTML(msg.content.user.displayName) || Messages.anonymous;
var title = Util.fixHTML(msg.content.title);
content.getFormatText = function () { content.getFormatText = function () {
return Messages._getKey('requestEdit_request', [msg.content.title, msg.content.user.displayName]); return Messages._getKey('requestEdit_request', [title, name]);
}; };
// if not archived, add handlers // if not archived, add handlers
@ -136,6 +144,9 @@ define([
var verified = h('p'); var verified = h('p');
var $verified = $(verified); var $verified = $(verified);
var name = Util.fixHTML(msg.content.user.displayName) || Messages.anonymous;
var title = Util.fixHTML(msg.content.title);
if (priv.friends && priv.friends[msg.author]) { if (priv.friends && priv.friends[msg.author]) {
$verified.addClass('cp-notifications-requestedit-verified'); $verified.addClass('cp-notifications-requestedit-verified');
var f = priv.friends[msg.author]; var f = priv.friends[msg.author];
@ -144,11 +155,11 @@ define([
$verified.append(h('p', Messages._getKey('requestEdit_fromFriend', [f.displayName]))); $verified.append(h('p', Messages._getKey('requestEdit_fromFriend', [f.displayName])));
common.displayAvatar($avatar, f.avatar, f.displayName); common.displayAvatar($avatar, f.avatar, f.displayName);
} else { } else {
$verified.append(Messages._getKey('requestEdit_fromStranger', [msg.content.user.displayName])); $verified.append(Messages._getKey('requestEdit_fromStranger', [name]));
} }
var div = h('div', [ var div = h('div', [
UI.setHTML(h('p'), Messages._getKey('requestEdit_confirm', [msg.content.title, msg.content.user.displayName])), UI.setHTML(h('p'), Messages._getKey('requestEdit_confirm', [title, name])),
verified, verified,
link link
]); ]);
@ -184,9 +195,12 @@ define([
if (!msg.content.href) { return; } if (!msg.content.href) { return; }
var name = Util.fixHTML(msg.content.user.displayName) || Messages.anonymous;
var title = Util.fixHTML(msg.content.title);
// Display the notification // Display the notification
content.getFormatText = function () { content.getFormatText = function () {
return Messages._getKey('requestEdit_accepted', [msg.content.title, msg.content.user.displayName]); return Messages._getKey('requestEdit_accepted', [title, name]);
}; };
// if not archived, add handlers // if not archived, add handlers
@ -196,6 +210,8 @@ define([
}; };
}; };
// NOTE: don't forget to fixHTML everything returned by "getFormatText"
return { return {
add: function (common, data) { add: function (common, data) {
var type = data.content.msg.type; var type = data.content.msg.type;