Skip to content
Permalink
Browse files Browse the repository at this point in the history
xss fixes
  • Loading branch information
yurikuzn committed Jul 23, 2019
1 parent 34e33bd commit 4ab7d19
Show file tree
Hide file tree
Showing 18 changed files with 59 additions and 32 deletions.
15 changes: 15 additions & 0 deletions client/src/views/email/fields/email-address-varchar.js
Expand Up @@ -203,6 +203,10 @@ Espo.define('views/email/fields/email-address-varchar', ['views/fields/varchar',
},

addAddress: function (address, name, type, id) {
if (name) {
name = this.getHelper().escapeString(name);
}

if (this.justAddedAddress) {
this.deleteAddress(this.justAddedAddress);
}
Expand Down Expand Up @@ -236,6 +240,13 @@ Espo.define('views/email/fields/email-address-varchar', ['views/fields/varchar',
},

addAddressHtml: function (address, name) {
if (name) {
name = this.getHelper().escapeString(name);
}
if (address) {
name = this.getHelper().escapeString(address);
}

var conteiner = this.$el.find('.link-container');
var html =
'<div data-address="'+address+'" class="list-group-item">' +
Expand Down Expand Up @@ -288,6 +299,10 @@ Espo.define('views/email/fields/email-address-varchar', ['views/fields/varchar',

var addressHtml = '<span>' + address + '</span>';

if (name) {
name = this.getHelper().escapeString(name);
}

var lineHtml;
if (id) {
lineHtml = '<div>' + '<a href="#' + entityType + '/view/' + id + '">' + name + '</a> <span class="text-muted">&#187;</span> ' + addressHtml + '</div>';
Expand Down
15 changes: 15 additions & 0 deletions client/src/views/email/fields/from-address-varchar.js
Expand Up @@ -106,6 +106,11 @@ Espo.define('views/email/fields/from-address-varchar', 'views/fields/varchar', f
var fromString = this.model.get('fromString') || this.model.get('fromName');

var name = this.nameHash[address] || this.parseNameFromStringAddress(fromString) || null;

if (name) {
name = this.getHelper().escapeString(name);
}

var entityType = this.typeHash[address] || null;
var id = this.idHash[address] || null;

Expand All @@ -129,6 +134,8 @@ Espo.define('views/email/fields/from-address-varchar', 'views/fields/varchar', f
},

getCreateHtml: function (address) {
address = this.getHelper().escapeString(address);

var html = '<span class="dropdown email-address-create-dropdown pull-right">' +
'<button class="dropdown-toggle btn btn-link btn-sm" data-toggle="dropdown">' +
'<span class="caret text-muted"></span>' +
Expand Down Expand Up @@ -179,6 +186,10 @@ Espo.define('views/email/fields/from-address-varchar', 'views/fields/varchar', f
}
}

if (name) {
name = this.getHelper().escapeString(name);
}

var attributes = {
emailAddress: address
};
Expand Down Expand Up @@ -240,6 +251,10 @@ Espo.define('views/email/fields/from-address-varchar', 'views/fields/varchar', f
}
}

if (name) {
name = this.getHelper().escapeString(name);
}

var attributes = {
emailAddress: address
};
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/fields/link-multiple-with-primary.js
Expand Up @@ -130,7 +130,7 @@ Espo.define('views/fields/link-multiple-with-primary', 'views/fields/link-multip
var $container = this.$el.find('.link-container');
var $el = $('<div class="form-inline list-group-item link-with-role clearfix link-group-item-with-primary">').addClass('link-' + id).attr('data-id', id);

var nameHtml = '<div>' + name + '&nbsp;' + '</div>';
var nameHtml = '<div>' + this.getHelper().escapeString(name) + '&nbsp;' + '</div>';
var removeHtml = '<a href="javascript:" class="pull-right" data-id="' + id + '" data-action="clearLink"><span class="fas fa-times"></a>';

$left = $('<div>');
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/notification/items/assign.js
Expand Up @@ -40,7 +40,7 @@ Espo.define('views/notification/items/assign', 'views/notification/items/base',
this.userId = data.userId;

this.messageData['entityType'] = Espo.Utils.upperCaseFirst((this.translate(data.entityType, 'scopeNames') || '').toLowerCase());
this.messageData['entity'] = '<a href="#' + data.entityType + '/view/' + data.entityId + '">' + data.entityName + '</a>';
this.messageData['entity'] = '<a href="#' + this.getHelper().escapeString(data.entityType) + '/view/' + this.getHelper().escapeString(data.entityId) + '">' + this.getHelper().escapeString(data.entityName) + '</a>';

this.createMessage();
},
Expand Down
11 changes: 5 additions & 6 deletions client/src/views/notification/items/email-received.js
Expand Up @@ -46,19 +46,18 @@ Espo.define('views/notification/items/email-received', 'views/notification/items

this.userId = data.userId;

this.messageData['entityType'] = Espo.Utils.upperCaseFirst((this.translate(data.entityType, 'scopeNames') || '').toLowerCase());
this.messageData['entityType'] = this.getHelper().escapeString(Espo.Utils.upperCaseFirst((this.translate(data.entityType, 'scopeNames') || '').toLowerCase()));
if (data.personEntityId) {
this.messageData['from'] = '<a href="#' + data.personEntityType + '/view/' + data.personEntityId + '">' + data.personEntityName + '</a>';
this.messageData['from'] = '<a href="#' + this.getHelper().escapeString(data.personEntityType) + '/view/' + this.getHelper().escapeString(data.personEntityId) + '">' + this.getHelper().escapeString(data.personEntityName) + '</a>';
} else {
this.messageData['from'] = data.fromString || this.translate('empty address');
this.messageData['from'] = this.getHelper().escapeString(data.fromString || this.translate('empty address'));
}

this.emailId = data.emailId;
this.emailName = data.emailName;
this.emailId = this.getHelper().escapeString(data.emailId);
this.emailName = this.getHelper().escapeString(data.emailName);

this.createMessage();
}

});
});

6 changes: 3 additions & 3 deletions client/src/views/notification/items/entity-removed.js
Expand Up @@ -39,10 +39,10 @@ Espo.define('views/notification/items/entity-removed', 'views/notification/items

this.userId = data.userId;

this.messageData['entityType'] = (this.translate(data.entityType, 'scopeNames') || '').toLowerCase();
this.messageData['entityType'] = this.getHelper().escapeString((this.translate(data.entityType, 'scopeNames') || '').toLowerCase());

this.messageData['user'] = '<a href="#User/view/' + data.userId + '">' + data.userName + '</a>';
this.messageData['entity'] = '<a href="#'+data.entityType+'/view/' + data.entityId + '">' + data.entityName + '</a>';
this.messageData['user'] = '<a href="#User/view/' + this.getHelper().escapeString(data.userId) + '">' + this.getHelper().escapeString(data.userName) + '</a>';
this.messageData['entity'] = '<a href="#'+this.getHelper().escapeString(data.entityType)+'/view/' + this.getHelper().escapeString(data.entityId) + '">' + this.getHelper().escapeString(data.entityName) + '</a>';

this.createMessage();
}
Expand Down
6 changes: 3 additions & 3 deletions client/src/views/notification/items/message.js
Expand Up @@ -47,10 +47,10 @@ Espo.define('views/notification/items/message', 'views/notification/items/base',

this.userId = data.userId;

this.messageData['entityType'] = Espo.Utils.upperCaseFirst((this.translate(data.entityType, 'scopeNames') || '').toLowerCase());
this.messageData['entityType'] = this.getHelper().escapeString(Espo.Utils.upperCaseFirst((this.translate(data.entityType, 'scopeNames') || '').toLowerCase()));

this.messageData['user'] = '<a href="#User/view/' + data.userId + '">' + data.userName + '</a>';
this.messageData['entity'] = '<a href="#'+data.entityType+'/view/' + data.entityId + '">' + data.entityName + '</a>';
this.messageData['user'] = '<a href="#User/view/' + this.getHelper().escapeString(data.userId) + '">' + this.getHelper().escapeString(data.userName) + '</a>';
this.messageData['entity'] = '<a href="#'+this.getHelper().escapeString(data.entityType)+'/view/' + this.getHelper().escapeString(data.entityId) + '">' + this.getHelper().escapeString(data.entityName) + '</a>';

this.createMessage();
}
Expand Down
3 changes: 1 addition & 2 deletions client/src/views/site/navbar.js
Expand Up @@ -41,7 +41,6 @@ Espo.define('views/site/navbar', 'view', function (Dep) {
menuDataList: this.getMenuDataList(),
quickCreateList: this.quickCreateList,
enableQuickCreate: this.quickCreateList.length > 0,
userName: this.getUser().get('name'),
userId: this.getUser().id,
logoSrc: this.getLogoSrc()
};
Expand Down Expand Up @@ -528,7 +527,7 @@ Espo.define('views/site/navbar', 'view', function (Dep) {
var list = [
{
link: '#User/view/' + this.getUser().id,
html: avatarHtml + this.getUser().get('name')
html: avatarHtml + this.getHelper().escapeString(this.getUser().get('name')),
},
{divider: true}
];
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/stream/note.js
Expand Up @@ -85,7 +85,7 @@ Espo.define('views/stream/note', 'view', function (Dep) {
this.messageData = {
'user': 'field:createdBy',
'entity': 'field:parent',
'entityType': this.translateEntityType(this.model.get('parentType')),
'entityType': this.getHelper().escapeString(this.translateEntityType(this.model.get('parentType'))),
};

if (!this.options.noEdit && (this.isEditable || this.isRemovable)) {
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/stream/notes/assign.js
Expand Up @@ -52,7 +52,7 @@ Espo.define('views/stream/notes/assign', 'views/stream/note', function (Dep) {
this.assignedUserId = data.assignedUserId || null;
this.assignedUserName = data.assignedUserName || null;

this.messageData['assignee'] = '<a href="#User/view/' + data.assignedUserId + '">' + data.assignedUserName + '</a>';
this.messageData['assignee'] = '<a href="#User/view/' + this.getHelper().escapeString(data.assignedUserId) + '">' + this.getHelper().escapeString(data.assignedUserName) + '</a>';

if (this.isUserStream) {
if (this.assignedUserId) {
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/stream/notes/create-related.js
Expand Up @@ -56,7 +56,7 @@ Espo.define('views/stream/notes/create-related', 'views/stream/note', function (
this.entityName = this.model.get('relatedName') || data.entityName || null;

this.messageData['relatedEntityType'] = this.translateEntityType(this.entityType);
this.messageData['relatedEntity'] = '<a href="#' + this.entityType + '/view/' + this.entityId + '">' + this.entityName +'</a>';
this.messageData['relatedEntity'] = '<a href="#' + this.getHelper().escapeString(this.entityType) + '/view/' + this.getHelper().escapeString(this.entityId) + '">' + this.getHelper().escapeString(this.entityName) +'</a>';

this.createMessage();
}
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/stream/notes/create.js
Expand Up @@ -52,7 +52,7 @@ Espo.define('views/stream/notes/create', 'views/stream/note', function (Dep) {
this.assignedUserId = data.assignedUserId || null;
this.assignedUserName = data.assignedUserName || null;

this.messageData['assignee'] = '<a href="#User/view/' + this.assignedUserId + '">' + this.assignedUserName + '</a>';
this.messageData['assignee'] = '<a href="#User/view/' + this.assignedUserId + '">' + this.getHelper().escapeString(this.assignedUserName) + '</a>';

var isYou = false;
if (this.isUserStream) {
Expand Down
4 changes: 2 additions & 2 deletions client/src/views/stream/notes/email-received.js
Expand Up @@ -67,7 +67,7 @@ Espo.define('views/stream/notes/email-received', 'views/stream/note', function (
}
}

this.messageData['email'] = '<a href="#Email/view/' + data.emailId + '">' + data.emailName + '</a>';
this.messageData['email'] = '<a href="#Email/view/' + this.getHelper().escapeString(data.emailId) + '">' + this.getHelper().escapeString(data.emailName) + '</a>';

this.messageName = 'emailReceived';

Expand All @@ -77,7 +77,7 @@ Espo.define('views/stream/notes/email-received', 'views/stream/note', function (

if (data.personEntityId) {
this.messageName += 'From';
this.messageData['from'] = '<a href="#'+data.personEntityType+'/view/' + data.personEntityId + '">' + data.personEntityName + '</a>';
this.messageData['from'] = '<a href="#'+this.getHelper().escapeString(data.personEntityType)+'/view/' + this.getHelper().escapeString(data.personEntityId) + '">' + this.getHelper().escapeString(data.personEntityName) + '</a>';
}

if (this.model.get('parentType') === data.personEntityType && this.model.get('parentId') == data.personEntityId) {
Expand Down
4 changes: 2 additions & 2 deletions client/src/views/stream/notes/email-sent.js
Expand Up @@ -65,11 +65,11 @@ Espo.define('views/stream/notes/email-sent', 'views/stream/note', function (Dep)
}
}

this.messageData['email'] = '<a href="#Email/view/' + data.emailId + '">' + data.emailName + '</a>';
this.messageData['email'] = '<a href="#Email/view/' + this.getHelper().escapeString(data.emailId) + '">' + this.getHelper().escapeString(data.emailName) + '</a>';

this.messageName = 'emailSent';

this.messageData['by'] = '<a href="#'+data.personEntityType+'/view/' + data.personEntityId + '">' + data.personEntityName + '</a>';
this.messageData['by'] = '<a href="#'+this.getHelper().escapeString(data.personEntityType)+'/view/' + this.getHelper().escapeString(data.personEntityId) + '">' + this.getHelper().escapeString(data.personEntityName) + '</a>';


if (this.isThis) {
Expand Down
5 changes: 2 additions & 3 deletions client/src/views/stream/notes/mention-in-post.js
Expand Up @@ -76,7 +76,7 @@ Espo.define('views/stream/notes/mention-in-post', 'views/stream/note', function
teamIdList.forEach(function (teamId) {
var teamName = teamNameHash[teamId];
if (teamName) {
teamHtmlList.push('<a href="#Team/view/' + teamId + '">' + teamName + '</a>');
teamHtmlList.push('<a href="#Team/view/' + this.getHelper().escapeString(teamId) + '">' + this.getHelper().escapeString(teamName) + '</a>');
}
}, this);

Expand All @@ -93,7 +93,7 @@ Espo.define('views/stream/notes/mention-in-post', 'views/stream/note', function
userIdList.forEach(function (userId) {
var userName = userNameHash[userId];
if (userName) {
userHtmlList.push('<a href="#User/view/' + userId + '">' + userName + '</a>');
userHtmlList.push('<a href="#User/view/' + this.getHelper().escapeString(userId) + '">' + this.getHelper().escapeString(userName) + '</a>');
}
}, this);
this.messageData['target'] = userHtmlList.join(', ');
Expand All @@ -113,4 +113,3 @@ Espo.define('views/stream/notes/mention-in-post', 'views/stream/note', function

});
});

6 changes: 3 additions & 3 deletions client/src/views/stream/notes/post.js
Expand Up @@ -85,7 +85,7 @@ Espo.define('views/stream/notes/post', 'views/stream/note', function (Dep) {
teamIdList.forEach(function (teamId) {
var teamName = teamNameHash[teamId];
if (teamName) {
teamHtmlList.push('<a href="#Team/view/' + teamId + '">' + teamName + '</a>');
teamHtmlList.push('<a href="#Team/view/' + this.getHelper().escapeString(teamId) + '">' + this.getHelper().escapeString(teamName) + '</a>');
}
}, this);

Expand All @@ -103,7 +103,7 @@ Espo.define('views/stream/notes/post', 'views/stream/note', function (Dep) {
portalIdList.forEach(function (portalId) {
var portalName = portalNameHash[portalId];
if (portalName) {
portalHtmlList.push('<a href="#Portal/view/' + portalId + '">' + portalName + '</a>');
portalHtmlList.push('<a href="#Portal/view/' + this.getHelper().escapeString(portalId) + '">' + this.getHelper().escapeString(portalName) + '</a>');
}
}, this);

Expand Down Expand Up @@ -135,7 +135,7 @@ Espo.define('views/stream/notes/post', 'views/stream/note', function (Dep) {
} else {
var userName = userNameHash[userId];
if (userName) {
userHtmlList.push('<a href="#User/view/' + userId + '">' + userName + '</a>');
userHtmlList.push('<a href="#User/view/' + this.getHelper().escapeString(userId) + '">' + this.getHelper().escapeString(userName) + '</a>');
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/stream/notes/relate.js
Expand Up @@ -55,7 +55,7 @@ Espo.define('views/stream/notes/relate', 'views/stream/note', function (Dep) {
this.entityName = this.model.get('relatedName') || data.entityName || null;

this.messageData['relatedEntityType'] = this.translateEntityType(this.entityType);
this.messageData['relatedEntity'] = '<a href="#' + this.entityType + '/view/' + this.entityId + '">' + this.entityName +'</a>';
this.messageData['relatedEntity'] = '<a href="#' + this.getHelper().escapeString(this.entityType) + '/view/' + this.getHelper().escapeString(this.entityId) + '">' + this.getHelper().escapeString(this.entityName) +'</a>';

this.createMessage();
},
Expand Down
2 changes: 1 addition & 1 deletion client/src/views/stream/notes/status.js
Expand Up @@ -56,7 +56,7 @@ Espo.define('views/stream/notes/status', 'views/stream/note', function (Dep) {

this.style = data.style || 'default';

this.statusText = this.getLanguage().translateOption(value, field, this.model.get('parentType'));
this.statusText = this.getHelper().escapeString(this.getLanguage().translateOption(value, field, this.model.get('parentType')));

this.messageData['field'] = this.translate(field, 'fields', this.model.get('parentType')).toLowerCase();

Expand Down

0 comments on commit 4ab7d19

Please sign in to comment.