Permalink
Browse files

Ensure that javascript is correctly escaped, for CVE-2011-2083

RT 3.8.12 ensured that user-supplied strings in javascript were properly
escaped when output, by adding a 'j' Mason filter.  Since we cannot
depend on having that version of RT, provide and use our own identical
EscapeJS function, which we use to escape user-supplied strings.
  • Loading branch information...
1 parent c7510d0 commit 71f052d9f645574b1d8996f31a143ec886834dc8 @alexmv alexmv committed Apr 5, 2012
Showing with 25 additions and 7 deletions.
  1. +7 −7 html/m/ticket/show
  2. +18 −0 lib/RT/Extension/MobileUI.pm
View
14 html/m/ticket/show
@@ -139,18 +139,18 @@ my $print_value = sub {
}
$m->out('</a>') if defined $linked && length $linked;
- # This section automatically populates a<div with the "IncludeContentForValue" for this custom
+ # This section automatically populates a div with the "IncludeContentForValue" for this custom
# field if it's been defined
if ( $cf->IncludeContentForValue ) {
my $vid = $value->id;
$m->out( '<div class="object_cf_value_include" id="object_cf_value_'. $vid .'">' );
- $m->print( loc("See also:") );
- $m->out( '<a href="'. $value->IncludeContentForValue .'">' );
- $m->print( $value->IncludeContentForValue );
+ $m->out( loc("See also:") );
+ $m->out( '<a href="'. $m->interp->apply_escapes($value->IncludeContentForValue, 'h') .'">' );
+ $m->out( $m->interp->apply_escapes($value->IncludeContentForValue, 'h') );
$m->out( qq{</a></div>\n} );
- $m->out( qq{<script><!--\nahah('} );
- $m->print( $value->IncludeContentForValue );
- $m->out( qq{', 'object_cf_value_$vid');\n--></script>\n} );
+ $m->out( qq{<script><!--\nahah(} );
+ $m->out( RT::Extension::MobileUI::EscapeJS($value->IncludeContentForValue) );
+ $m->out( qq{, 'object_cf_value_$vid');\n--></script>\n} );
}
};
View
18 lib/RT/Extension/MobileUI.pm
@@ -5,6 +5,24 @@ package RT::Extension::MobileUI;
our $VERSION = "1.01";
+sub _encode_surrogates {
+ my $uni = $_[0] - 0x10000;
+ return ($uni / 0x400 + 0xD800, $uni % 0x400 + 0xDC00);
+}
+
+sub EscapeJS {
+ my $val = shift;
+ return unless defined $val;
+
+ return "'" . join('',
+ map {
+ chr($_) =~ /[a-zA-Z0-9]/ ? chr($_) :
+ $_ <= 255 ? sprintf("\\x%02X", $_) :
+ $_ <= 65535 ? sprintf("\\u%04X", $_) :
+ sprintf("\\u%X\\u%X", _encode_surrogates($_))
+ } unpack('U*', $val))
+ . "'";
+}
=head1 NAME

0 comments on commit 71f052d

Please sign in to comment.