nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Render flash message content with .text

Browse source 
.html does not escape any html input in these, leading to XSS
attack vectors.

Thanks to A Kai (@sixhundredns) for reporting the related issues.
This commit is contained in:
Jonne Haß 2014-05-24 16:08:32 +02:00
parent d36589e05b
commit ecb1b80e24
3 changed files with 24 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/assets/javascripts/widgets/flash-messages.js
View file

@ -19,7 +19,7 @@
.html($("<div/>", { .html($("<div/>", {
'class': "message" 'class': "message"
}) })
.html(result.notice)) .text(result.notice))
.prependTo(document.body); .prependTo(document.body);

19
features/desktop/connects_users.feature
View file

@ -44,6 +44,19 @@ Feature: following and being followed
When I am on the home page When I am on the home page
Then I should see "I am ALICE" Then I should see "I am ALICE"
Scenario: I follow a malicious user
When I sign in as "bob@bob.bob"
And I go to the edit profile page
And I fill in the following:
| profile_first_name | <script>alert(0)// |
And I press "update_profile"
Then I should be on my edit profile page
When I sign in as "alice@alice.alice"
And I am on "bob@bob.bob"'s page
And I add the person to my "Besties" aspect
Then I should see a flash message containing "You have started sharing with <script>alert(0)//!"
Scenario: seeing non-public posts of someone you follow who also follows you Scenario: seeing non-public posts of someone you follow who also follows you
When I sign in as "alice@alice.alice" When I sign in as "alice@alice.alice"
And I am on "bob@bob.bob"'s page And I am on "bob@bob.bob"'s page
@ -87,7 +100,7 @@ Feature: following and being followed
When I sign in as "bob@bob.bob" When I sign in as "bob@bob.bob"
And I am on "alice@alice.alice"'s page And I am on "alice@alice.alice"'s page
Then I should see "Besties" Then I should see "Besties"
Then I should see a "#mention_button" within "#profile" Then I should see a "#mention_button" within "#profile"
Then I should not see a "#message_button" within "#profile" Then I should not see a "#message_button" within "#profile"
@ -107,6 +120,6 @@ Feature: following and being followed
And I add the person to my "Unicorns" aspect And I add the person to my "Unicorns" aspect
When I go to "bob@bob.bob"'s page When I go to "bob@bob.bob"'s page
Then I should see "All Aspects" Then I should see "All Aspects"
Then I should see a "#mention_button" within "#profile" Then I should see a "#mention_button" within "#profile"
Then I should see a "#message_button" within "#profile" Then I should see a "#message_button" within "#profile"

7
features/desktop/signs_up.feature
View file

@ -16,6 +16,13 @@ Feature: new user registration
Then I should be on the stream page Then I should be on the stream page
And I should not see "awesome_button" And I should not see "awesome_button"
Scenario: new user tries to XSS itself
When I fill in the following:
| profile_first_name | <script>alert(0)// |
And I focus the "follow_tags" field
Then I should see a flash message containing "Hey, <script>alert(0)//!"
Scenario: new user does not add any tags in setup wizard and cancel the alert Scenario: new user does not add any tags in setup wizard and cancel the alert
When I fill in the following: When I fill in the following:
| profile_first_name | some name | | profile_first_name | some name |