From a712ce457d30041e9653a5346c73dc8b51001496 Mon Sep 17 00:00:00 2001 From: Richard Hansen Date: Mon, 19 Oct 2020 20:48:53 -0400 Subject: [PATCH] gritter: Treat strings as text, not HTML This forces users to use jQuery or DOM objects if they want formatting, which helps avoid XSS vulnerabilities. --- src/static/js/chat.js | 5 ++++- src/static/js/gritter.js | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/static/js/chat.js b/src/static/js/chat.js index ca488fe5..f438ebff 100755 --- a/src/static/js/chat.js +++ b/src/static/js/chat.js @@ -193,7 +193,10 @@ var chat = (function() if(!chatOpen && ctx.duration > 0) { $.gritter.add({ - text: '' + ctx.authorName + '' + ctx.text, + // Note: ctx.authorName and ctx.text are already HTML-escaped. + text: $('

') + .append($('').addClass('author-name').html(ctx.authorName)) + .append(ctx.text), sticky: ctx.sticky, time: 5000, position: 'bottom', diff --git a/src/static/js/gritter.js b/src/static/js/gritter.js index e6bb2084..64295ef7 100644 --- a/src/static/js/gritter.js +++ b/src/static/js/gritter.js @@ -11,7 +11,8 @@ * Edited by Sebastian Castro on 2020-03-31 * * Edited by Richard Hansen on 2020-10-19 to accept jQuery or DOM objects for - * notification title and text. + * notification title and text, and to treat plain strings as text instead of HTML (to avoid XSS + * vunlerabilities). */ (function($){ @@ -142,7 +143,8 @@ // String replacements on the template if(title){ - title = this._tpl_title.clone().append(title); + title = this._tpl_title.clone().append( + typeof title === 'string' ? document.createTextNode(title) : title); }else{ title = ''; } @@ -152,7 +154,7 @@ tmp.addClass(item_class); tmp.find('.gritter-content') .append(title) - .append(typeof text === 'string' ? $('

').html(text) : text); + .append(typeof text === 'string' ? $('

').text(text) : text); // If it's false, don't show another gritter message if(this['_before_open_' + number]() === false){