infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Fix XSS in the user dropdown menu

pull/1/head
yflory 2017-03-01 13:08:09 +01:00
parent f130fd0598
commit 26e3971482
1 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
www/common/cryptpad-common.js
View File

@ -163,10 +163,13 @@ define([
// var isArray = function (o) { return Object.prototype.toString.call(o) === '[object Array]'; };
var isArray = common.isArray = $.isArray;
var fixHTML = common.fixHTML = function (html) {
return html.replace(/</g, '&lt;');
var fixHTML = common.fixHTML = function (str) {
return str.replace(/[<>&"']/g, function (x) {
return ({ "<": "&lt;", ">": "&gt", "&": "&amp;", '"': "&#34;", "'": "&#39;" })[x];
});
};
var truncate = common.truncate = function (text, len) {
if (typeof(text) === 'string' && text.length > len) {
return text.slice(0, len) + '…';
@ -1142,22 +1145,22 @@ define([
var $displayedName = $('<span>', {'class': config.displayNameCls || 'displayName'});
var accountName = localStorage[common.userNameKey];
var account = isLoggedIn();
var $userAdminContent = $('<p>');
if (account) {
var $userAccount = $('<span>', {'class': 'userAccount'}).append(Messages.user_accountName + ': ' + accountName);
$userAdminContent.append($userAccount);
$userAdminContent.append($('<br>'));
}
var $userName = $('<span>', {'class': 'userDisplayName'});
if (config.displayName) {
// Hide "Display name:" in read only mode
$userName.append(Messages.user_displayName + ': ');
$userName.append($displayedName.clone());
}
//$userName.append($displayedName.clone()); TODO remove ?
$userAdminContent.append($userName);
var options = [];
if (config.displayNameCls) {
var $userAdminContent = $('<p>');
if (account) {
var $userAccount = $('<span>', {'class': 'userAccount'}).append(Messages.user_accountName + ': ' + fixHTML(accountName));
$userAdminContent.append($userAccount);
$userAdminContent.append($('<br>'));
}
if (config.displayName) {
// Hide "Display name:" in read only mode
$userName.append(Messages.user_displayName + ': ');
$userName.append($displayedName.clone());
}
//$userName.append($displayedName.clone()); TODO remove ?
$userAdminContent.append($userName);
options.push({
tag: 'p',
attributes: {'class': 'accountData'},