New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(client): All template writes are by default HTML escaped. #4296

Merged
merged 1 commit into from Oct 25, 2016

Conversation

Projects
None yet
3 participants
@shane-tomlinson
Member

shane-tomlinson commented Oct 18, 2016

A new Mustache helper function unsafeTranslate, has been added
for unsafe writes, to be used when inserting HTML.

All interpolation variables passed to unsafeTranslate must be
prefixed with escaped or else an exception is thrown. This is
to remind the developer to escape the variable in the most
appropriate way.

The t helper function now HTML escapes by default.

Rename some function/variable names for consistency:

  • displaySuccessUnsafe => unsafeDisplaySuccess
  • displayErrorUnsafe => unsafeDisplayError
  • successUnsafe => unsafeSuccess

@shane-tomlinson shane-tomlinson self-assigned this Oct 18, 2016

Show outdated Hide outdated app/scripts/lib/strings.js
Show outdated Hide outdated app/scripts/views/base.js
Show outdated Hide outdated app/scripts/views/mixins/open-webmail-mixin.js
@@ -19,8 +19,7 @@ define(function (require, exports, module) {
const TOOLTIP_MESSAGES = {
FOCUS_PROMPT_MESSAGE: t('8 characters minimum, but longer if you plan to sync passwords.'),
INITIAL_PROMPT_MESSAGE: t('A strong, unique password will keep your Firefox data safe from intruders.'),
WARNING_PROMPT_MESSAGE: t('This is a common password; please consider another one.'),
WARNING_PROMPT_MESSAGE_WITH_LINK: t('This is a common password; please consider another one.')

This comment has been minimized.

@shane-tomlinson

shane-tomlinson Oct 19, 2016

Member

the _WITH_LINK variant didn't have a link, so I consolidated the two messages.

@shane-tomlinson

shane-tomlinson Oct 19, 2016

Member

the _WITH_LINK variant didn't have a link, so I consolidated the two messages.

Show outdated Hide outdated app/tests/spec/views/base.js
Show outdated Hide outdated app/tests/spec/views/base.js

@shane-tomlinson shane-tomlinson removed the WIP label Oct 19, 2016

@shane-tomlinson shane-tomlinson changed the title from WIP: fix(client): All template writes are by default HTML escaped. to fix(client): All template writes are by default HTML escaped. Oct 19, 2016

@shane-tomlinson shane-tomlinson removed their assignment Oct 19, 2016

@shane-tomlinson

This comment has been minimized.

Show comment
Hide comment
@shane-tomlinson
Member

shane-tomlinson commented Oct 19, 2016

@mozilla/fxa-devs - who wants it?

@seanmonstar

I absolutely love the explicit naming: unsafeTranslate and escapedFoo. This PR just gives me a warm fuzzy feeling inside. Thank you!

if (Strings.hasHTML(text)) {
const err = AuthErrors.toError('HTML_WILL_BE_ESCAPED');
err.string = text;
this.logError(err);

This comment has been minimized.

@seanmonstar

seanmonstar Oct 19, 2016

Member

In production does this error get sent to us, like sentry or something?

@seanmonstar

seanmonstar Oct 19, 2016

Member

In production does this error get sent to us, like sentry or something?

This comment has been minimized.

@shane-tomlinson

shane-tomlinson Oct 21, 2016

Member

Yup, exactly, the string itself will be part of the message displayed in Sentry.

@shane-tomlinson

shane-tomlinson Oct 21, 2016

Member

Yup, exactly, the string itself will be part of the message displayed in Sentry.

Show outdated Hide outdated app/scripts/lib/strings.js
Show outdated Hide outdated app/scripts/lib/strings.js
Show outdated Hide outdated app/scripts/lib/strings.js
@shane-tomlinson

This comment has been minimized.

Show comment
Hide comment
@shane-tomlinson
Member

shane-tomlinson commented Oct 21, 2016

@seanmonstar - updated!

@seanmonstar

All tidy! Looks good from here, except that Travis went red. It might be because of the DNS outage, so I just gave it a kick. Merge when travis is green!

fix(client): All template writes are by default HTML escaped.
A new Mustache helper function `unsafeTranslate`, has been added
for unsafe writes, to be used when inserting HTML.

All interpolation variables passed to `unsafeTranslate` must be
prefixed with `escaped` or else an exception is thrown. This is
to remind the developer to escape the variable in the most
appropriate way.

The `t` helper function now HTML escapes by default.

Rename some function/variable names for consistency:

* `displaySuccessUnsafe` => `unsafeDisplaySuccess`
* `displayErrorUnsafe` => `unsafeDisplayError`
* `successUnsafe` => `unsafeSuccess`

@shane-tomlinson shane-tomlinson merged commit 4329101 into master Oct 25, 2016

4 checks passed

ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
coverage/coveralls Coverage decreased (-0.02%) to 98.728%
Details

@shane-tomlinson shane-tomlinson deleted the shane-tomlinson/unsafe-html-in-templates branch Oct 25, 2016

@rfk rfk added this to the FxA-0: quality milestone Nov 8, 2016

@rfk

This comment has been minimized.

Show comment
Hide comment
@rfk

rfk Nov 8, 2016

Member

@shane-tomlinson does this fix the issue reported by cure53?

Member

rfk commented Nov 8, 2016

@shane-tomlinson does this fix the issue reported by cure53?

@shane-tomlinson

This comment has been minimized.

Show comment
Hide comment
@shane-tomlinson
Member

shane-tomlinson commented Nov 8, 2016

@rfk - yes
screen shot 2016-11-08 at 12 06 28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment