Skip to content

Commit

Permalink
Fix XSS in confirmation prompts
Browse files Browse the repository at this point in the history
Also update some confirmation prompts to not use HTML in the message as
this is no longer supported.
  • Loading branch information
ThiefMaster committed Jul 20, 2023
1 parent bb9df8e commit 2ee636d
Show file tree
Hide file tree
Showing 12 changed files with 28 additions and 18 deletions.
11 changes: 11 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,17 @@ Version 3.2.6

*Unreleased*

Security fixes
^^^^^^^^^^^^^^

- Fix an XSS vulnerability in various confirmation prompts commonly used when deleting
things. Exploitation requires someone with at least submission privileges (such as a
speaker) and then rely on someone else to attempt to delete this content. However,
considering that event organizers may indeed delete suspicious-looking content when
encountering it, there is a non-negligible risk of such an attack to succeed. Because
of this it is strongly recommended to upgrade as soon as possible (:pr:`5862`,
:cve:`CVE-2023-37901`)

Internationalization
^^^^^^^^^^^^^^^^^^^^

Expand Down
4 changes: 2 additions & 2 deletions indico/modules/attachments/templates/_attachments.html
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
data-title="{% trans name=attachment.title %}Remove {{ name }}?{% endtrans %}"
title="{% trans %}Remove{% endtrans %}"
data-confirm="{% trans name=attachment.title -%}
Are you sure you want to remove &quot;{{ name }}&quot;?<br>
Are you sure you want to remove &quot;{{ name }}&quot;?
This will remove the attachment permanently.
{%- endtrans %}">
</a>
Expand Down Expand Up @@ -94,7 +94,7 @@
data-title="{% trans name=folder.title %}Remove {{ name }}?{% endtrans %}"
title="{% trans %}Remove{% endtrans %}"
data-confirm="{% trans name=folder.title -%}
Are you sure you want to remove &quot;{{ name }}&quot;?<br>
Are you sure you want to remove &quot;{{ name }}&quot;?
This will remove the folder and its contents permanently.
{%- endtrans %}">
</a>
Expand Down
6 changes: 4 additions & 2 deletions indico/modules/categories/templates/management/base.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@

{% macro delete_category_button(category, classes="i-button") %}
{% set confirmation_message -%}
{% trans category=category.title %}Do you really want to delete the category "{{ category }}"?{% endtrans %}
{% trans category=category.title %}
Do you really want to delete the category &quot;{{ category }}&quot;?
{% endtrans %}
{%- endset %}
{% if category.is_empty %}
{% set tooltip -%}
Expand All @@ -16,7 +18,7 @@
{% endif %}
<a class="{{ classes }} icon-remove js-delete-category"
title="{{ tooltip|forceescape }}"
data-confirm="{{ confirmation_message|forceescape }}"
data-confirm="{{ confirmation_message }}"
data-title="{% trans %}Delete category{% endtrans %}"
data-href="{{ url_for('categories.delete', category) }}"
data-method="POST"></a>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,10 @@ <h3 class="f-self-stretch js-mathjax">
{% set message %}
{% trans %}Do you really want to withdraw this abstract?{% endtrans %}
{% if abstract.contribution %}
<br>
{%- trans -%}
Withdrawing this abstract will permanently delete its corresponding contribution.
{%- endtrans -%}
{% elif not can_manage %}
<br>
{% trans %}This operation is irreversible.{% endtrans %}
{% endif %}
{% endset %}
Expand Down
2 changes: 1 addition & 1 deletion indico/modules/events/layout/templates/_menu.html
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
title="{% trans %}Remove the menu entry{% endtrans %}"
data-confirm="
{%- if not entry.is_separator -%}
{%- trans name='&quot;%s&quot;'|format(entry.localized_title) -%}
{%- trans name='"%s"'|format(entry.localized_title) -%}
Are you sure you want to remove {{ name }}?
{%- endtrans -%}
{% else %}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{% macro _change_type_confirmation(type) %}
{% trans -%}
Changing the event type to <strong>{{ type }}</strong> will change the look of the event page
Changing the event type to {{ type }} will change the look of the event page
and may disable some features not available for the new event type.
{%- endtrans %}
{% endmacro %}
Expand Down
2 changes: 1 addition & 1 deletion indico/modules/events/static/templates/static_sites.html
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
data-method="post"
data-href="{{ url_for('static_site.build', event) }}"
data-title="{% trans %}Build an offline copy{% endtrans %}"
data-confirm="{% trans %}Are you sure you want to build an offline copy of this event?<br>Beware that it is a heavy operation, especially for large events, and it might take some time to finish.{% endtrans %}">
data-confirm="{% trans %}Are you sure you want to build an offline copy of this event? Beware that it is a heavy operation, especially for large events, and it might take some time to finish.{% endtrans %}">
{%- trans %}Build offline copy{% endtrans -%}
</button>
</div>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -194,8 +194,10 @@ <h2>
{% set data_confirm %}
{% trans %}Are you sure you want to remove this submission?{% endtrans %}
{% if submission.is_anonymous %}
<br><br>
{% trans %}Note: Authenticated users will not be able to submit an anonymous survey again even if you delete their submission.{% endtrans %}
{% trans %}
Note: Authenticated users will not be able to submit an anonymous survey again
even if you delete their submission.
{% endtrans %}
{% endif %}
{% endset %}
<a href="#" class="icon-remove right js-delete-submission hide-if-locked"
Expand Down
2 changes: 1 addition & 1 deletion indico/modules/oauth/templates/user_apps.html
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
<button class="ui negative small button"
data-href="{{ url_for('.user_app_revoke', auth.application) }}"
data-method="POST"
data-confirm="{% trans app_name=auth.application.name %}{{ app_name }} will no longer have access to your Indico data.<br>
data-confirm="{% trans app_name=auth.application.name %}{{ app_name }} will no longer have access to your Indico data.
Are you sure you want to revoke its access?{% endtrans %}">
{%- trans %}Revoke{% endtrans -%}
</button>
Expand Down
3 changes: 0 additions & 3 deletions indico/modules/oauth/templates/user_tokens.html
Original file line number Diff line number Diff line change
Expand Up @@ -109,13 +109,10 @@
You cannot undo this action.
{% endtrans %}
{% if not can_manage %}
<br><br>
<strong>
{% trans %}
Warning: You will not be able to create a new API token since only Indico
admins can create API tokens.
{% endtrans %}
</strong>
{% endif %}
">
<i aria-hidden="true" class="trash icon"></i>
Expand Down
4 changes: 2 additions & 2 deletions indico/modules/users/templates/personal_data.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<button class="ui negative small button"
data-href="{{ url_for('.user_block') }}"
data-method="PUT"
data-confirm="{% trans %}This user will no longer have access to Indico.<br>
data-confirm="{% trans %}This user will no longer have access to Indico.
Are you sure you want to revoke their access?{% endtrans %}"
data-reload-after
{% if user == session.user %}disabled{% endif %}>
Expand All @@ -25,7 +25,7 @@
<button class="ui small button"
data-href="{{ url_for('.user_block') }}"
data-method="DELETE"
data-confirm="{% trans %}This user will regain access to Indico.<br>
data-confirm="{% trans %}This user will regain access to Indico.
Are you sure you want to restore their access?{% endtrans %}"
data-reload-after>
{% trans %}Unblock User{% endtrans %}
Expand Down
2 changes: 1 addition & 1 deletion indico/web/client/js/jquery/utils/misc.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import Palette from '../../utils/palette';
(function(global) {
global.confirmPrompt = function confirmPrompt(message, title) {
var dfd = $.Deferred();
message = $('<div>', {width: 400, html: message});
message = $('<div>', {width: 400, text: message});
new ConfirmPopup(title || $T('Please confirm'), message, function(confirmed) {
if (confirmed) {
dfd.resolve();
Expand Down

0 comments on commit 2ee636d

Please sign in to comment.