Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-7p8h-86p5-wv3p
- Fix several XSS vulnerabilities
  • Loading branch information
dozoisch committed Mar 5, 2021
2 parents 440f0e5 + 0fa67c7 commit f5e0d49
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 16 deletions.
17 changes: 9 additions & 8 deletions lib/filters.js
Expand Up @@ -66,9 +66,9 @@ exports.to_display = function (input) {
&& input._id
) {
retHTML += '<div class="tooDamnBig" doc_id="' + encodeURIComponent(JSON.stringify(input._id)) + '" '
+ 'doc_prop="' + input.attribu + '" title="Max prop size: ' + input.maxSize + '">';
+ 'doc_prop="' + entifyGTLTAmp(input.attribu) + '" title="Max prop size: ' + input.maxSize + '">';
retHTML += input.display + '<br>~' + input.humanSz;
retHTML += '<br>Preview:' + input.preview;
retHTML += '<br>Preview:' + entifyGTLTAmp(input.preview);
retHTML += '<br>Click to fetch this property';
retHTML += '</div>';
return retHTML;
Expand All @@ -87,9 +87,9 @@ exports.to_display = function (input) {
&& input._id
) {
retHTML += '<div class="tooDamnBig" doc_id="' + encodeURIComponent(JSON.stringify(input._id)) + '" '
+ 'doc_prop="' + input.attribu + '" title="Max row size: ' + input.maxSize + '">';
retHTML += input.display + '<br>' + input.attribu + ': ~' + input.humanSz;
retHTML += '<br>Preview:' + input.preview;
+ 'doc_prop="' + entifyGTLTAmp(input.attribu) + '" title="Max row size: ' + input.maxSize + '">';
retHTML += input.display + '<br>' + entifyGTLTAmp(input.attribu) + ': ~' + input.humanSz;
retHTML += '<br>Preview:' + entifyGTLTAmp(input.preview);
retHTML += '<br>Click to fetch this property';
retHTML += '</div>';
return retHTML;
Expand All @@ -105,7 +105,7 @@ exports.to_display = function (input) {
|| input.substr(0, 23) === 'data:image/jpeg;base64,'
)
) {
return '<img src="' + input + '" style="max-height:100%; max-width:100%; "/>';
return '<img src="' + entifyGTLTAmp(input) + '" style="max-height:100%; max-width:100%; "/>';
}

// Audio inline
Expand All @@ -116,7 +116,7 @@ exports.to_display = function (input) {
|| input.substr(0, 22) === 'data:audio/mp3;base64,'
)
) {
return '<audio controls style="width:45px;" src="' + input + '">Your browser does not support the audio element.</audio>';
return '<audio controls style="width:45px;" src="' + entifyGTLTAmp(input) + '">Your browser does not support the audio element.</audio>';
}

// Video inline
Expand All @@ -128,7 +128,8 @@ exports.to_display = function (input) {
|| input.substr(0, 22) === 'data:video/ogv;base64,'
)
) {
return '<video controls><source type="' + input.substring(input.indexOf(':') + 1, input.indexOf(';')) + '" src="' + input + '"/>'
const videoFormat = input.match(/^data:(.*);base64/)[1];
return '<video controls><source type="' + videoFormat + '" src="' + entifyGTLTAmp(input) + '"/>'
+ 'Your browser does not support the video element.</video>';
}

Expand Down
23 changes: 15 additions & 8 deletions lib/scripts/collection.js
@@ -1,6 +1,7 @@
import $ from 'jquery';
import renderjson from 'renderjson';
import CodeMirror from './codeMirrorLoader';
import escapeHtml from './escapeHtml';

function getParameterByName(name) {
name = name.replace(/\[/, '\\[').replace(/[\]]/, '\\]');
Expand Down Expand Up @@ -137,7 +138,7 @@ $(() => {
// Set the element with spinner for now
target.html(spinner);

$.get(`${makeCollectionUrl()}${encodeURIComponent(_id)}/${prop}`, function (input) {
function renderProp(input) {
// Images inline
if (
typeof input === 'string'
Expand All @@ -148,7 +149,7 @@ $(() => {
|| input.substr(0, 23) === 'data:image/jpeg;base64,'
)
) {
input = '<img src="' + input + '" style="max-height:100%; max-width:100%; "/>';
return `<img src="${escapeHtml(input)}" style="max-height:100%; max-width:100%; "/>`;
}

// Audio inline
Expand All @@ -160,7 +161,7 @@ $(() => {
|| input.substr(0, 22) === 'data:audio/mp3;base64,'
)
) {
input = '<audio controls style="width:45px;" src="' + input + '">Your browser does not support the audio element.</audio>';
return `<audio controls style="width:45px;" src="${escapeHtml(input)}">Your browser does not support the audio element.</audio>`;
}

// Video inline
Expand All @@ -172,16 +173,22 @@ $(() => {
|| input.substr(0, 22) === 'data:video/ogv;base64,'
)
) {
input = '<video controls><source type="' + input.substring(input.indexOf(':') + 1, input.indexOf(';')) + '" src="' + input + '"/>'
+ 'Your browser does not support the video element.</video>';
const videoFormat = input.match(/^data:(.*);base64/)[1];
return `<video controls><source type="${escapeHtml(videoFormat)}" src="${escapeHtml(input)}"/>
+ 'Your browser does not support the video element.</video>`;
}

if (typeof input === 'object' && (input.toString() === '[object Object]' || input.toString().substr(0, 7) === '[object')) {
input = renderjson(input);
return renderjson(input);
}

// treat unknown data as escaped string
return escapeHtml(input.toString());
}

$.get(`${makeCollectionUrl()}${encodeURIComponent(_id)}/${prop}`, function (prop) {
prop = renderProp(prop);
// Set the element with gotten datas
target.parent().html(input);
target.parent().html(prop);

// Set original scroll position
$('.tableWrapper').scrollLeft(leftScroll);
Expand Down
8 changes: 8 additions & 0 deletions lib/scripts/escapeHtml.js
@@ -0,0 +1,8 @@
export default function (html) {
// Turn < ? > into HTML entities, so data doesn't get interpreted by the browser
return html.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&apos;');
}

0 comments on commit f5e0d49

Please sign in to comment.