Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix XSS vulnerability in typeahead-enabled text entry fields
This commit makes several changes in various places to prevent HTML tags from being interpreted in typeahead text fields. The two places in the tool that use such fields are the search-by-username field in User Management, as well as the search-by-username field in Logs. However, since the latter only included usernames of accounts that had already been approved to use the tool, it was a much less severe vector than the user management one. Note that this commit makes changes to the Bootstrap JavaScript code - I made the necessary changes in the lib/bootstrap/js/bootstrap.js file, tested there, then re-minified the file (including my changes) to lib/bootstrap/js/ bootstrap.min.js - this minified file remains the version served by the tool to clients, but of course you can examine the changes I made in the original bootstrap.js file as well. The change in bootstrap.js is actually fairly minor - it only adds a little bit of extra processing to the typeahead system to turn HTML entities back into their appropriate characters when selecting an option with HTML entities from the typeahead dropdown. Primarily, patching this hole involved moving the source data typeahead was using out of inline HTML and into a <script> block in footer.tpl, which necessitated some minor modifications to \BootstrapSkin::displayInternalFooter() to allow passing this data to footer.tpl. Furthermore, a new function (in functions.php), getTypeaheadSource(), generates the appropriate JavaScript source for the typeahead data from an array of usernames as strings - the output of this function is what is intended to be passed to displayInternalFooter(). One major caveat to this fix as is: If a name contains characters that are converted to HTML entities - let's say, "<b>Test</b>", then typing "<" or such will not cause typeahead to complete the rest of the name, since it only sees the name with those characters converted to HTML entities. That being said, typing "Test" *would* still complete to "<b>Test</b>", and when you select "<b>Test</b>" from the typeahead completion dropdown, the HTML entities would convert back to regular characters so the text entry field is correctly filled with "<b>Test</b>".
- Loading branch information
1 parent
3ad4cbb
commit c34b12c
Showing
9 changed files
with
44 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters