Fix XSS with display names in the user list

pull/1/head
yflory 8 years ago
parent 26e3971482
commit 5797aab3f2

@ -207,32 +207,35 @@ define([
var anonymous = numberOfEditUsers - editUsersNames.length; var anonymous = numberOfEditUsers - editUsersNames.length;
// Update the userlist // Update the userlist
var $usersTitle = $('<h2>').text(Messages.users);
var $editUsers = $userButtons.find('.' + USERLIST_CLS);
$editUsers.html('').append($usersTitle);
var editUsersList = ''; var editUsersList = '';
var $editUsersList = $('<pre>');
if (readOnly !== 1) { if (readOnly !== 1) {
editUsersNames.unshift('<span class="yourself">' + Messages.yourself + '</span>'); $editUsers.append('<span class="yourself">' + Messages.yourself + '</span>');
anonymous--; anonymous--;
} }
if (editUsersNames.length > 0) {
$editUsersList.text(editUsersNames.join('\n')); // .text() to avoid XSS
$editUsers.append($editUsersList);
}
if (anonymous > 0) { if (anonymous > 0) {
var text = anonymous === 1 ? Messages.anonymousUser : Messages.anonymousUsers; var text = anonymous === 1 ? Messages.anonymousUser : Messages.anonymousUsers;
editUsersNames.push('<span class="anonymous">' + anonymous + ' ' + text + '</span>'); $editUsers.push('<span class="anonymous">' + anonymous + ' ' + text + '</span>');
} }
if (numberOfViewUsers > 0) { if (numberOfViewUsers > 0) {
var viewText = '<span class="viewer">'; var viewText = '<span class="viewer">';
if (numberOfEditUsers > 0) { if (numberOfEditUsers > 0) {
editUsersNames.push(''); $editUsers.append('<br>');
viewText += Messages.and + ' '; viewText += Messages.and + ' ';
} }
var viewerText = numberOfViewUsers !== 1 ? Messages.viewers : Messages.viewer; var viewerText = numberOfViewUsers !== 1 ? Messages.viewers : Messages.viewer;
viewText += numberOfViewUsers + ' ' + viewerText + '</span>'; viewText += numberOfViewUsers + ' ' + viewerText + '</span>';
editUsersNames.push(viewText); $editUsers.append(viewText);
}
if (editUsersNames.length > 0) {
editUsersList += editUsersNames.join('<br>');
} }
var $usersTitle = $('<h2>').text(Messages.users);
var $editUsers = $userButtons.find('.' + USERLIST_CLS);
$editUsers.html('').append($usersTitle).append(editUsersList);
// Update the buttons // Update the buttons
var fa_editusers = '<span class="fa fa-users"></span>'; var fa_editusers = '<span class="fa fa-users"></span>';

Loading…
Cancel
Save