Skip to content

Commit

Permalink
Fixed XSS by adding 'encodeToHTML()'
Browse files Browse the repository at this point in the history
  • Loading branch information
@dima767
dima767 committed May 24, 2009
1 parent b8f58dd commit acfb6f0
Show file tree
Hide file tree
Showing 17 changed files with 56 additions and 76 deletions.
2 changes: 1 addition & 1 deletion grails-app/controllers/GrailsAffiliationController.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ class GrailsAffiliationController extends SecureController {
def details = {
def affiliation = GrailsAffiliation.get(params.id)
if (affiliation.description.trim()) {
render """<div class="description-box">${affiliation.description.encodeAsTextile()}</div><br/>"""
render """<div class="description-box">${affiliation.description.encodeAsHTML()}</div><br/>"""
}
else {
render 'No details available<br/>'
Expand Down
2 changes: 1 addition & 1 deletion grails-app/views/comment/list.gsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
</span>
<br/>
<br/>
<span class="content-font">${comment.body.encodeAsTextile()}</span>
<span class="content-font">${comment.body.encodeAsHTML().encodeAsTextile()}</span>
</div>
<br/>
</g:each>
Expand Down
2 changes: 1 addition & 1 deletion grails-app/views/grailsProject/discover.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Discover projects: ${project.name}</title>
<title>Discover projects: ${project.name.encodeAsHTML()}</title>
<meta name="layout" content="grailscrowd" />
</head>

Expand Down
12 changes: 6 additions & 6 deletions grails-app/views/grailsProject/viewProject.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title><g:message code="project.view.dom.title" /> ${grailsProject.name}</title>
<title><g:message code="project.view.dom.title" /> ${grailsProject.name.encodeAsHTML()}</title>

<meta name="layout" content="grailscrowd" />
<feed:meta kind="atom" version="1.0" controller="grailsProject" action="commentsFeed" id="${grailsProject.id}"/>
Expand All @@ -11,7 +11,7 @@
<body id="project">

<div id="nav-context">
<h1><g:message code="project.view.title" /> ${grailsProject.name}</h1>
<h1><g:message code="project.view.title" /> ${grailsProject.name.encodeAsHTML()}</h1>
<span class="meta-info">Created on <g:niceDate date="${grailsProject.dateCreated}" /></span>
<br />

Expand All @@ -30,15 +30,15 @@

<div class="description-box">
<span class="content-font">
${grailsProject.description.encodeAsTextile()}
${grailsProject.description.encodeAsHTML().encodeAsTextile()}
</span>
</div>

<g:if test="${grailsProject.architectureDescription}">
<h4 class="page-section-header">Architecture description</h4>
<div class="transparent-box">
<span class="content-font">
${grailsProject.architectureDescription.encodeAsTextile()}
${grailsProject.architectureDescription.encodeAsHTML().encodeAsTextile()}
</span>
</div>
</g:if>
Expand All @@ -49,7 +49,7 @@
<span class="content-font">
<g:if test="${grailsProject.uri}">
<label><g:message code="project.view.label.url" />:</label>
<a href="${grailsProject.uri}" target="_blank">${grailsProject.uri}</a>
<a href="${grailsProject.uri.encodeAsURL()}" target="_blank">${grailsProject.uri}</a>
<br />
<br />
</g:if>
Expand All @@ -74,7 +74,7 @@
</span>
<br/>
<br/>
<span class="content-font">${comment.body.encodeAsTextile()}</span>
<span class="content-font">${comment.body.encodeAsHTML().encodeAsTextile()}</span>
</div>
<br/>
</g:each>
Expand Down
2 changes: 1 addition & 1 deletion grails-app/views/layouts/grailscrowd.gsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@

<p id="nav-meta">
<g:if test="${loggedInMember}">
<g:message code="header.auth.welcome.signedin" /> <g:link controller="member" action="viewProfile" params="[_name:loggedInMember.name]">${loggedInMember.name}</g:link>
<g:message code="header.auth.welcome.signedin" /> <g:link controller="member" action="viewProfile" params="[_name:loggedInMember.name]">${loggedInMember.name.encodeAsHTML()}</g:link>
<span>|</span> <g:if test="${loggedInMember.mailbox.hasAnyNewMessages()}"><g:link style="background-color: #fff;" controller="mailbox"><img src="${createLinkTo(dir:'images',file:'inbox-new.gif')}" alt="Inbox"/></g:link><b>(${loggedInMember.mailbox.numberOfNewMessages} new)</b></g:if>
<g:else><g:link style="background-color: #fff;" controller="mailbox"><img src="${createLinkTo(dir:'images',file:'inbox-no-new.gif')}" alt="Inbox"/></g:link></g:else>
<span>|</span> (<g:link controller="authentication" action="handleLogout"><g:message code="header.auth.signout" /></g:link>)
Expand Down
4 changes: 2 additions & 2 deletions grails-app/views/mailbox/mailbox.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Mailbox: ${loggedInMember.name}</title>
<title>Mailbox: ${loggedInMember.name.encodeAsHTML()}</title>
<meta name="layout" content="grailscrowd" />
</head>

Expand All @@ -27,7 +27,7 @@
<tr>
</g:else>
<td>
${message.subject}
${message.subject.encodeAsHTML()}
</td>
<td>
<g:link class="inline-link" controller="mailbox" action="showMessage" params="[id:message.id]">details...</g:link>
Expand Down
4 changes: 2 additions & 2 deletions grails-app/views/mailbox/message.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Message for: ${loggedInMember.name}</title>
<title>Message for: ${loggedInMember.name.encodeAsHTML()}</title>
<meta name="layout" content="grailscrowd" />
</head>

Expand All @@ -18,7 +18,7 @@

<span class="content-font">
<p>
${message.body}
${message.body.encodeAsHTML()}
</p>
<g:render template="messageVariation" model="[message:message]" />
<g:link class="inline-link" controller="mailbox">&laquo; Go back to mailbox</g:link>
Expand Down
2 changes: 1 addition & 1 deletion grails-app/views/member/discover.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Discover members: ${member.displayName}</title>
<title>Discover members: ${member.displayName.encodeAsHTML()}</title>
<meta name="layout" content="grailscrowd" />
</head>

Expand Down
3 changes: 2 additions & 1 deletion grails-app/views/member/editProfile.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head>
<title>Edit profile: ${loggedInMember.name} /></title>
<meta name="layout" content="grailscrowd" />
Expand All @@ -22,7 +23,7 @@
<g:form name="personal-info" method="post" controller="member" action="updateProfile">
<h4 class="page-section-header">Your personal info</h4>
<div id="personal-info-box" class="box">
<p><label for="displayName">Display name:</label><br/> <input type="text" name="displayName" id="displayName"
<p><label for="displayName">Display name:</label><br/> <input type="text" size="55" name="displayName" id="displayName"
value="${member.displayName}"/>

<p><label for="about">About me</label> (<a href="http://hobix.com/textile/quick.html" target="_blank">Textile enabled</a>):<br/><textarea name="about" cols="53" rows="10"
Expand Down
4 changes: 2 additions & 2 deletions grails-app/views/member/home.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>${loggedInMember.name} home</title>
<title>${loggedInMember.name.encodeAsHTML()} home</title>

<meta name="layout" content="grailscrowd" />
</head>
Expand All @@ -10,7 +10,7 @@
<body id="member-home">

<div id="nav-context">
<h1>Hi there, ${loggedInMember.displayName}</h1>
<h1>Hi there, ${loggedInMember.displayName.encodeAsHTML()}</h1>
</div>

<div class="content">
Expand Down
14 changes: 0 additions & 14 deletions grails-app/views/member/last7Days.gsp
View file

This file was deleted.

48 changes: 19 additions & 29 deletions grails-app/views/member/viewProfile.gsp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Member: ${member.name}</title>
<title>Member: ${member.name.encodeAsHTML()}</title>

<meta name="layout" content="grailscrowd" />
</head>
Expand All @@ -12,13 +12,13 @@
<div id="nav-context">
<!-- TODO: encapsulate these type of checks in taglib? -->
<g:if test="${loggedInMember?.id == member.id}">
<h1><avatar:gravatar email="${member.email}" defaultGravatarUrl="${'http://grailscrowd.com/images/default-gravatar-80.png'.encodeAsURL()}" size="80"/> ${member.name} / ${member.displayName}</h1>
<h6>[ <g:link class="inline-link" controller="member" action="editProfile">edit profile</g:link> ] | [ <g:link class="inline-link" controller="account">edit account settings</g:link> ]</h6>
<h1><avatar:gravatar email="${member.email}" defaultGravatarUrl="${'http://grailscrowd.com/images/default-gravatar-80.png'.encodeAsURL()}" size="80"/> ${member.name.encodeAsHTML()} / ${member.displayName.encodeAsHTML()}</h1>
<h6><span class="meta-info"><br/>Your profile has been viewed <strong>${member.numberOfPublicViews}</strong> time(s)</span> [ <g:link class="inline-link" controller="member" action="editProfile">edit profile</g:link> ] | [ <g:link class="inline-link" controller="account">edit account settings</g:link> ]</h6>
</g:if>
<g:else>
<h1><avatar:gravatar email="${member.email}" defaultGravatarUrl="${'http://grailscrowd.com/images/default-gravatar-80.png'.encodeAsURL()}" size="80"/> Member: ${member.displayName}</h1>
<h1><avatar:gravatar email="${member.email}" defaultGravatarUrl="${'http://grailscrowd.com/images/default-gravatar-80.png'.encodeAsURL()}" size="80"/> Member: ${member.displayName}</h1>
</g:else>
<span class="meta-info">Joined on <g:niceDate date="${member.joinedOn}" /></span>
<span class="meta-info">Joined on <g:niceDate date="${member.joinedOn}" />
<hr />
&rarr; <g:link class="inline-link" controller="tag" action="cloudForMember" params="[_name:member.name]">Tags (${member.numberOfTags})</g:link>
</div>
Expand All @@ -34,10 +34,10 @@
<div class="description-box">
<span class="content-font">
<g:if test="${member.about}">
${member.about.encodeAsTextile()}
${member.about.encodeAsHTML().encodeAsTextile()}
</g:if>
<g:else>
My name is <b>${member.displayName}</b> and I'm now a part of the friendly Grails community! I haven't had a chance to write a few words about myself yet.
My name is <b>${member.displayName.encodeAsHTML()}</b> and I'm now a part of the friendly Grails community! I haven't had a chance to write a few words about myself yet.
</g:else>
</span>
</div>
Expand All @@ -46,7 +46,7 @@
<h4 class="page-section-header">Hometown</h4>
<p class="transparent-box">
<span class="content-font">
<label>I am originally from:</label> ${member.homeTown}
<label>I am originally from:</label> ${member.homeTown.encodeAsHTML()}
</span>
</p>
</g:if>
Expand All @@ -57,7 +57,7 @@
<span class="content-font">
<label>I currently live in:</label>
<g:link controller="member" action="findByLocation"
params="[q:member.location]">${member.location}</g:link>
params="[q:member.location]">${member.location.encodeAsHTML()}</g:link>
</span>
</p>
</g:if>
Expand All @@ -67,43 +67,43 @@
<p class="transparent-box">
<span class="content-font">
<g:if test="${member.homePageUri}">
<label>Personal web resource (Blog, home page, etc.):</label> <a href="${member.homePageUri}" target="_blank">${member.homePageUri}</a>
<label>Personal web resource (Blog, home page, etc.):</label> <a href="${member.homePageUri.encodeAsURL()}" target="_blank">${member.homePageUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.linkedInProfileUri}">
<img src="${createLinkTo(dir:'images',file:'linkedin.png')}" alt="LinkedIn"/>
<label>LinkedIn profile:</label> <a href="${member.linkedInProfileUri}" target="_blank">${member.linkedInProfileUri}</a>
<label>LinkedIn profile:</label> <a href="${member.linkedInProfileUri.encodeAsURL()}" target="_blank">${member.linkedInProfileUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.twitterProfileUri}">
<img src="${createLinkTo(dir:'images',file:'twitter.png')}" alt="Twitter"/>
<label>Twitter profile:</label> <a href="${member.twitterProfileUri}" target="_blank">${member.twitterProfileUri}</a>
<label>Twitter profile:</label> <a href="${member.twitterProfileUri.encodeAsURL()}" target="_blank">${member.twitterProfileUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.friendFeedProfileUri}">
<img src="${createLinkTo(dir:'images',file:'friendfeed.png')}" alt="FF"/>
<label>FriendFeed profile:</label> <a href="${member.friendFeedProfileUri}" target="_blank">${member.friendFeedProfileUri}</a>
<label>FriendFeed profile:</label> <a href="${member.friendFeedProfileUri.encodeAsURL()}" target="_blank">${member.friendFeedProfileUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.flickrProfileUri}">
<img src="${createLinkTo(dir:'images',file:'flickr.png')}" alt="Flickr"/>
<label>Flickr photos:</label> <a href="${member.flickrProfileUri}" target="_blank">${member.flickrProfileUri}</a>
<label>Flickr photos:</label> <a href="${member.flickrProfileUri.encodeAsURL()}" target="_blank">${member.flickrProfileUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.deliciousProfileUri}">
<img src="${createLinkTo(dir:'images',file:'delicious.png')}" alt="Delicious"/>
<label>Delicious bookmarks:</label> <a href="${member.deliciousProfileUri}" target="_blank">${member.deliciousProfileUri}</a>
<label>Delicious bookmarks:</label> <a href="${member.deliciousProfileUri.encodeAsURL()}" target="_blank">${member.deliciousProfileUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.ohlohProfileUri}">
<img src="${createLinkTo(dir:'images',file:'ohloh.png')}" alt="Ohloh"/>
<label>Ohloh profile:</label> <a href="${member.ohlohProfileUri}" target="_blank">${member.ohlohProfileUri}</a>
<label>Ohloh profile:</label> <a href="${member.ohlohProfileUri.encodeAsURL()}" target="_blank">${member.ohlohProfileUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
Expand All @@ -116,22 +116,17 @@
<p class="transparent-box">
<span class="content-font">
<g:if test="${member.companyName}">
<label>Company:</label> ${member.companyName}
<label>Company:</label> ${member.companyName.encodeAsHTML()}
<br />
<br />
</g:if>
<g:if test="${member.companyUri}">
<label>Company URL:</label> <a href="${member.companyUri}" target="_blank">${member.companyUri}</a>
<label>Company URL:</label> <a href="${member.companyUri.encodeAsURL()}" target="_blank">${member.companyUri.encodeAsHTML()}</a>
<br />
<br />
</g:if>
<g:if test="${member.availableForHire}">
I am interested in various employment opportunities.
<!-- <g:if test="${loggedInMember && loggedInMember.id != member.id}"><g:link class="inline-link" controller="mailbox" action="composeEmploymentOpportunity" forMember="${member.name}">[Contact me]</g:link></g:if>
<g:else>
<span class="invisible">${session.memberToBeContacted = member.name}</span>
<g:link class="inline-link" controller="authentication">Sign in</g:link> so you could contact me directly.
</g:else> -->
</g:if>
</span>
</p>
Expand All @@ -143,7 +138,7 @@
<br />
<p class="transparent-box">
<span class="content-font">
You can contact me directly. My email address is: <b><a class="inline-link" href="mailto:${member.email}">${member.email}</a></b>
You can contact me directly. My email address is: <b><a class="inline-link" href="mailto:${member.email.encodeAsURL()}">${member.email.encodeAsHTML()}</a></b>
</span>
</p>
</g:if>
Expand Down Expand Up @@ -214,11 +209,6 @@
<p><input class="btn" type="submit" name="invite" id="invite" value="Invite"/></p>
</g:form>
</g:if>

<g:if test="${loggedInMember?.id == member.id}">
<hr />
<span class="meta-info">Your profile has been viewed <strong>${member.numberOfPublicViews}</strong> time(s)</span>
</g:if>

</div> <!-- sub -->

Expand Down

0 comments on commit acfb6f0

Please sign in to comment.