Skip to content

Commit

Permalink
Escape message crypt status as we insert it into the DOM
Browse files Browse the repository at this point in the history
The ->{'Value'} part of each message is inserted into the DOM with no
escaping (to accommodate MakeClicky and callbacks using HTML). Values RT
receives from other systems must be escaped or they leave us vulnerable to
an XSS injection attack.

This also happens to fix a bug where email addresses of senders would in
some cases not be shown in the browser.
  • Loading branch information
sartak committed Jul 28, 2015
1 parent 62de9fe commit 36a4619
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions share/html/Elements/CryptStatus
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ foreach my $run ( @runs ) {
push @messages, {
Tag => $protocol,
Classes => [qw/keycheck bad/],
Value => loc( "Public key '0x[_1]' is required to verify signature", $line->{'Key'} ),
Value => $m->interp->apply_escapes( loc( "Public key '0x[_1]' is required to verify signature", $line->{'Key'} ), 'h'),
};
}
}
Expand All @@ -156,29 +156,29 @@ foreach my $run ( @runs ) {
push @messages, {
Tag => $protocol,
Classes => ['passphrasecheck', lc $line->{Status}],
Value => loc( $line->{'Message'} ),
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
};
}
elsif ( $line->{'Operation'} eq 'Decrypt' ) {
push @messages, {
Tag => $protocol,
Classes => ['decrypt', lc $line->{Status}],
Value => loc( $line->{'Message'} ),
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
};
}
elsif ( $line->{'Operation'} eq 'Verify' ) {
push @messages, {
Tag => $protocol,
Classes => ['verify', lc $line->{Status}, 'trust-'.($line->{Trust} || 'UNKNOWN')],
Value => loc( $line->{'Message'} ),
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
};
}
else {
next if $line->{'Status'} eq 'DONE';
push @messages, {
Tag => $protocol,
Classes => [lc $line->{Operation}, lc $line->{Status}],
Value => loc( $line->{'Message'} ),
Value => $m->interp->apply_escapes( loc( $line->{'Message'} ), 'h'),
}
}
}
Expand Down

0 comments on commit 36a4619

Please sign in to comment.