Skip to content
Permalink
Browse files Browse the repository at this point in the history
Filtered for XSS attacks properly
  • Loading branch information
AABoyles committed Mar 29, 2018
1 parent e38b108 commit e60c5fe
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 136 deletions.
34 changes: 15 additions & 19 deletions components/files.html
Expand Up @@ -114,7 +114,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
header: true,
preview: 1,
complete: function(output){
var headers = output.meta.fields.map(app.striptags);
var headers = output.meta.fields.map(filterXSS);
var options = '<option>None</option>' + headers.map(h => `<option value="${h}">${app.titleize(h)}</option>`).join('\n');
$(`<div class='col-4 '${isFasta?' style="display: none;"':''} data-file='${file.name}'>
<label for="file-${file.name}-field-1">${isNode?'ID':'Source'}</label>
Expand Down Expand Up @@ -189,7 +189,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
var reader = new FileReader();
reader.onloadend = function(e){
if (e.target.readyState == FileReader.DONE){
$('#reference').val(app.striptags(app.parseFASTA(e.target.result)[0].seq));
$('#reference').val(filterXSS(app.parseFASTA(e.target.result)[0].seq));
}
};
reader.readAsText(file);
Expand Down Expand Up @@ -254,8 +254,8 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
var n = 0;
var seqs = app.parseFASTA(e.target.result);
seqs.forEach(node => {
node.id = app.striptags(node.id);
node.seq = app.striptags(node.seq);
node.id = filterXSS(node.id);
node.seq = filterXSS(node.seq);
node['origin'] = [filename];
n += app.addNode(node);
});
Expand All @@ -276,7 +276,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
complete: results => {
results.data.forEach(link => {
Object.keys(link).forEach(function(key){
link[key] = app.striptags(link[key]);
link[key] = filterXSS(link[key]);
});
l += app.addLink(Object.assign({
source: '' + link[file.field1],
Expand All @@ -288,7 +288,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
});
message(` - Parsed ${l} New, ${results.data.length} Total Links from Link CSV.`);
results.meta.fields.map(key => {
key = app.striptags(key);
key = filterXSS(key);
if(!session.data.linkFields.includes(key)){
session.data.linkFields.push(key);
}
Expand Down Expand Up @@ -317,14 +317,14 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
complete: results => {
var n = 0;
results.data.forEach(node => {
node = JSON.parse(app.striptags(JSON.stringify(node)));
node = JSON.parse(filterXSS(JSON.stringify(node)));
node.id = '' + node[file.field1];
if(file.field2 !== 'None') node.seq = node[file.field2];
node['origin'] = [filename];
n += app.addNode(node);
});
results.meta.fields.forEach(key => {
key = app.striptags(key);
key = filterXSS(key);
if(!session.data.nodeFields.includes(key)){
session.data.nodeFields.push(key);
}
Expand All @@ -348,7 +348,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
var nn = 0, nl = 0;
results.data.forEach((row, i) => {
if(i == 0){
nodeIDs = row.map(app.striptags);
nodeIDs = row.map(filterXSS);
nodeIDs.forEach((cell, k) => {
if(k > 0){
nn += app.addNode({
Expand Down Expand Up @@ -404,7 +404,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
$('#loadingInformationModal').modal('hide');
setTimeout(session.network.fit, 1500);
}
drawthresholdHistogram();
session.updateThresholdHistogram();
}
};

Expand Down Expand Up @@ -450,14 +450,15 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
$('#loadingInformationModal').modal('hide');
}, 1500);
}
drawthresholdHistogram();
session.updateThresholdHistogram();
};
};

function drawthresholdHistogram(){
session.updateThresholdHistogram = function(){
var width = 280,
height = 48,
svg = d3.select("svg#link-threshold-sparkline")
.html(null)
.attr('width', width)
.attr('height', height);

Expand Down Expand Up @@ -490,14 +491,9 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
.attr("width", 6)
.attr("height", function(d) { return height - y(d.length); });

svg.append("g")
.attr("class", "axis axis--x")
.attr("transform", "translate(0," + height + ")")
.call(d3.axisBottom(x));

function updateThreshold(){
var x = d3.mouse(svg.node())[0],
range = max - min;
range = max - min;
session.state.linkThreshold = x / width * range + min;
$('#default-link-threshold').val(session.state.linkThreshold);
}
Expand Down Expand Up @@ -529,7 +525,7 @@ <h5 id="alignerControlsModalTitle" class="modal-title">Alignment Configuration</
.on('mouseup', null);
});
});
}
};
});

</script>
11 changes: 6 additions & 5 deletions index.html
Expand Up @@ -350,17 +350,18 @@ <h3>MicrobeTrace</h3>
<script type="text/javascript" src="node_modules/jquery/dist/jquery.min.js"></script>
<script type="text/javascript" src="node_modules/popper.js/dist/umd/popper.min.js"></script>
<script type="text/javascript" src="node_modules/bootstrap/dist/js/bootstrap.min.js"></script>
<script type="text/javascript" src="vendor/bootstrap-filestyle.min.js"></script>
<script type="text/javascript" src="node_modules/golden-layout/dist/goldenlayout.min.js"></script>
<script type="text/javascript" src="node_modules/html2canvas/dist/html2canvas.min.js"></script>
<script type="text/javascript" src="node_modules/papaparse/papaparse.min.js"></script>
<script type="text/javascript" src="node_modules/xss/dist/xss.min.js"></script>
<script type="text/javascript" src="node_modules/d3/dist/d3.min.js"></script>
<script type="text/javascript" src="node_modules/plotly.js/dist/plotly.min.js"></script>
<script type="text/javascript" src="node_modules/alertifyjs/build/alertify.min.js"></script>
<script type="text/javascript" src="node_modules/screenfull/dist/screenfull.js"></script>
<script type="text/javascript" src="vendor/FileSaver.min.js"></script>
<script type="text/javascript" src="node_modules/html2canvas/dist/html2canvas.min.js"></script>
<script type="text/javascript" src="node_modules/screenfull/dist/screenfull.js"></script>
<script type="text/javascript" src="node_modules/clipboard/dist/clipboard.min.js"></script>
<script type="text/javascript" src="vendor/bootstrap-filestyle.min.js"></script>
<script type="text/javascript" src="node_modules/chosen-js/chosen.jquery.min.js"></script>
<script type="text/javascript" src="node_modules/d3/dist/d3.min.js"></script>
<script type="text/javascript" src="node_modules/plotly.js/dist/plotly.min.js"></script>
<script type="text/javascript" src="scripts/common.js"></script>
<script type="text/javascript">
$(function(){
Expand Down
7 changes: 4 additions & 3 deletions index.js
@@ -1,6 +1,7 @@
const express = require('express')
const PORT = process.env.PORT || 5000
#!/usr/bin/env node

const express = require('express');

express()
.use(express.static(__dirname))
.listen(PORT, () => console.log(`Listening on ${ PORT }`))
.listen(process.env.PORT || 5000);
7 changes: 4 additions & 3 deletions package.json
Expand Up @@ -10,12 +10,11 @@
"yarn": "1.5.1"
},
"scripts": {
"appcache": "./appcache.sh",
"appcache": "sh appcache.sh",
"start": "node index.js",
"build": "yarn start && nativifier http://localhost:8080"
},
"devDependencies": {
"express": "^4.16.3",
"nativefier": "^7.5.4",
"yarn": "^1.5.0"
},
Expand All @@ -35,6 +34,7 @@
"datatables.net-scroller-bs4": "^1.4.4",
"datatables.net-select": "^1.2.5",
"datatables.net-select-bs4": "^1.2.5",
"express": "^4.16.3",
"golden-layout": "^1.5.9",
"html2canvas": "^1.0.0-alpha.10",
"jquery": "^3.3.1",
Expand All @@ -47,6 +47,7 @@
"screenfull": "^3.3.2",
"tn93": "^0.1.1",
"vis": "^4.21.0",
"vue": "^2.5.16"
"vue": "^2.5.16",
"xss": "^0.3.7"
}
}
7 changes: 0 additions & 7 deletions scripts/common.js
Expand Up @@ -115,13 +115,6 @@ app.parseNewick = function(a){
return r;
};

app.striptags = function(inp){
return ('' + inp)
.replace(/<[^>]+?>.*?<\/[^>]+?>/g, '') //Closed Tags
.replace(/<[^>]+?\/\s*>/g, '') //Self-Closing Tags
.replace(/<[^>]+?>/g, ''); //Unclosed Tags
};

app.titleize = function(title){
var small = title.toLowerCase().replace(/_/g, ' ');
if(small === 'id') return 'ID';
Expand Down

0 comments on commit e60c5fe

Please sign in to comment.