Fix XSS in letter preview

Thanks to @GiantCrocodile
okfde · Dec 8, 2016 · c2d3e8d · c2d3e8d
1 parent 1b7465a
commit c2d3e8d
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/froide/static/js/foirequest.js b/froide/static/js/foirequest.js
@@ -146,6 +146,10 @@ Froide.app = Froide.app || {};
             return pb;
         };
 
+        var htmlEscape = function(s) {
+          return $('<div/>').text(s.toString()).html();
+        };
+
         return function(){
             var text, result, inputId, i, warnings = [],
                 reviewWarnings = $("#review-warnings");
@@ -184,14 +188,14 @@ Froide.app = Froide.app || {};
             $("#review-subject").text($("#id_subject").val());
             text = '';
             if (fullText) {
-                text += '<div class="highlight">' + $("#id_body").val() + "</div>";
+                text += '<div class="highlight">' + htmlEscape($("#id_body").val()) + "</div>";
             } else {
                 text += resolve_forms($('#letter_start').clone());
-                text += '\n\n<div class="highlight">' + $("#id_body").val() + "</div>\n\n";
-                text += $('#letter_end').text();
+                text += '\n\n<div class="highlight">' + htmlEscape($("#id_body").val()) + "</div>\n\n";
+                text += htmlEscape($('#letter_end').text());
             }
-            text += "\n" + getFullName();
-            text += "\n\n" + getAddress();
+            text += "\n" + htmlEscape(getFullName());
+            text += "\n\n" + htmlEscape(getAddress());
             $("#review-text").html(text);
         };
     }());