Skip to content

Commit 36a4619

Browse files
committed
Escape message crypt status as we insert it into the DOM
The ->{'Value'} part of each message is inserted into the DOM with no escaping (to accommodate MakeClicky and callbacks using HTML). Values RT receives from other systems must be escaped or they leave us vulnerable to an XSS injection attack. This also happens to fix a bug where email addresses of senders would in some cases not be shown in the browser.
1 parent 62de9fe commit 36a4619

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

Diff for: share/html/Elements/CryptStatus

+5-5
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ foreach my $run ( @runs ) {
147147
push @messages, {
148148
Tag => $protocol,
149149
Classes => [qw/keycheck bad/],
150-
Value => loc( "Public key '0x[_1]' is required to verify signature", $line->{'Key'} ),
150+
Value => $m->interp->apply_escapes( loc( "Public key '0x[_1]' is required to verify signature", $line->{'Key'} ), 'h'),
151151
};
152152
}
153153
}
@@ -156,29 +156,29 @@ foreach my $run ( @runs ) {
156156
push @messages, {
157157
Tag => $protocol,
158158
Classes => ['passphrasecheck', lc $line->{Status}],
159-
Value => loc( $line->{'Message'} ),
159+
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
160160
};
161161
}
162162
elsif ( $line->{'Operation'} eq 'Decrypt' ) {
163163
push @messages, {
164164
Tag => $protocol,
165165
Classes => ['decrypt', lc $line->{Status}],
166-
Value => loc( $line->{'Message'} ),
166+
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
167167
};
168168
}
169169
elsif ( $line->{'Operation'} eq 'Verify' ) {
170170
push @messages, {
171171
Tag => $protocol,
172172
Classes => ['verify', lc $line->{Status}, 'trust-'.($line->{Trust} || 'UNKNOWN')],
173-
Value => loc( $line->{'Message'} ),
173+
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
174174
};
175175
}
176176
else {
177177
next if $line->{'Status'} eq 'DONE';
178178
push @messages, {
179179
Tag => $protocol,
180180
Classes => [lc $line->{Operation}, lc $line->{Status}],
181-
Value => loc( $line->{'Message'} ),
181+
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
182182
}
183183
}
184184
}

0 commit comments

Comments
 (0)