Fixes vulnerability in posting a comment in the temporary rendering

c33ceff6 · Tim Zallmann · Jose Ivan Vargas · 1e878fd7 · c33ceff6 · c33ceff6
Commit c33ceff6 authored Sep 01, 2017 by Tim Zallmann Committed by Jose Ivan Vargas Sep 05, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 4 deletions

app/assets/javascripts/notes.js app/assets/javascripts/notes.js +4 -4

spec/javascripts/notes_spec.js spec/javascripts/notes_spec.js +15 -0

No files found.
--- a/app/assets/javascripts/notes.js
+++ b/app/assets/javascripts/notes.js
@@ -1274,16 +1274,16 @@ export default class Notes {
      `<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry">
         <div class="timeline-entry-inner">
            <div class="timeline-icon">
-               <a href="/${currentUsername}">
+               <a href="/${_.escape(currentUsername)}">
                 <img class="avatar s40" src="${currentUserAvatar}" />
               </a>
            </div>
            <div class="timeline-content ${discussionClass}">
               <div class="note-header">
                  <div class="note-header-info">
-                     <a href="/${currentUsername}">
-                       <span class="hidden-xs">${currentUserFullname}</span>
-                       <span class="note-headline-light">@${currentUsername}</span>
+                     <a href="/${_.escape(currentUsername)}">
+                       <span class="hidden-xs">${_.escape(currentUserFullname)}</span>
+                       <span class="note-headline-light">@${_.escape(currentUsername)}</span>
                     </a>
                  </div>
               </div>

--- a/spec/javascripts/notes_spec.js
+++ b/spec/javascripts/notes_spec.js
@@ -768,6 +768,21 @@ import '~/notes';
        expect($tempNote.prop('nodeName')).toEqual('LI');
        expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy();
      });
+
+      it('should return a escaped user name', () => {
+        const currentUserNameXSS = 'Foo <script>alert("XSS")</script>';
+        const $tempNote = this.notes.createPlaceholderNote({
+          formContent: sampleComment,
+          uniqueId,
+          isDiscussionNote: false,
+          currentUsername,
+          currentUserNameXSS,
+          currentUserAvatar,
+        });
+        const $tempNoteHeader = $tempNote.find('.note-header');
+
+        expect($tempNoteHeader.find('.hidden-xs').text().trim()).toEqual('Foo &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;');
+      });
    });

    describe('createPlaceholderSystemNote', () => {