Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixed XSS injection vulns on channel.php
  • Loading branch information
oxguy3 committed Jul 14, 2016
1 parent 2aa4fb5 commit c1a6c44
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 15 deletions.
25 changes: 13 additions & 12 deletions js/channel.js
Expand Up @@ -164,7 +164,7 @@ function displayChannelCommands() {
row += '<td class="js-commands-editcolumn"><span class="table-edit-btn" data-toggle="modal" data-target="#commandAddModal" data-command="' + cmd.key + '" data-accesslevel="' + cmd.restriction + '" data-response="' + cleanHtmlAttr(cmd.value) + '" data-modaltitle="Edit command"><i class="icon-pencil"></i><span class="sr-only">Edit</span></span></td>';
row += '<td><kbd class="command">' + cmd.key + '</kbd></td>';
row += '<td class="row-command-col-access" data-order="' + cmd.restriction + '">' + prettifyAccessLevel(cmd.restriction) + '</td>';
row += '<td class="should-be-linkified should-be-emotified">' + prettifyStringVariables(cmd.value) + '</td>';
row += '<td class="should-be-linkified should-be-emotified">' + prettifyStringVariables(cleanHtmlText(cmd.value)) + '</td>';
row += '<td>' + Humanize.intComma(cmd.count) + '</td>';
row += '</tr>';
rows += row;
Expand Down Expand Up @@ -261,7 +261,7 @@ function displayChannelQuotes() {
row += '<td class="js-quotes-editcolumn"><span class="table-edit-btn" data-toggle="modal" data-target="#quoteAddModal" data-quote="' + cleanHtmlAttr(quote.quote) + '" data-quoteid="' + (i+1) + '" data-modaltitle="Edit quote"><i class="icon-pencil"></i></span></td>';

row += '<td>' + (i+1) + '</td>';
row += '<td>' + quote.quote + '</td>';
row += '<td>' + cleanHtmlText(quote.quote) + '</td>';

var tsMoment = (quote.timestamp !== null) ? moment(quote.timestamp) : null;
var tsStr = (quote.timestamp !== null) ? tsMoment.calendar() : "Unknown";
Expand Down Expand Up @@ -320,7 +320,7 @@ function displayChannelAutoreplies() {
row += '<td class="js-autoreplies-editcolumn"><span class="table-edit-btn" data-toggle="modal" data-target="#autoreplyAddModal" data-trigger="' + cleanHtmlAttr(reply.trigger) + '" data-response="' + cleanHtmlAttr(reply.response) + '" data-arid="' + (i+1) + '" data-modaltitle="Edit auto-reply"><i class="icon-pencil"></i></span></td>';
row += '<td>' + (i+1) + '</td>';
row += '<td title="RegEx: ' + cleanHtmlAttr(reply.trigger) + '">' + prettifyRegex(reply.trigger) + '</td>';
row += '<td>' + prettifyStringVariables(reply.response) + '</td>';
row += '<td>' + prettifyStringVariables(cleanHtmlText(reply.response)) + '</td>';
row += '</tr>';
rows += row;
}
Expand Down Expand Up @@ -549,7 +549,7 @@ function showChannelHighlights() {
var strm = highlightsStats.streams[i];
var row = '<tr>';

row += '<td><span class="fake-link js-highlight-btn" data-hlid="' + strm.id + '">' + strm.title + '</span></td>';
row += '<td><span class="fake-link js-highlight-btn" data-hlid="' + strm.id + '">' + cleanHtmlText(strm.title) + '</span></td>';

var startMoment = moment.unix(strm.start);
var cleanStart = cleanHtmlAttr(startMoment.format('LLLL'));
Expand Down Expand Up @@ -734,9 +734,9 @@ function showChannelBoir() {
var boirContainer = $('.js-boir-container');
var html = "";

html += '<div class="boir-character"><strong>Character:</strong> ' + channelBoirData.character + "</div>";
html += '<div class="boir-floor"><strong>Floor:</strong> ' + channelBoirData.floor + "</div>";
html += '<div class="boir-seed"><strong>Seed:</strong> ' + channelBoirData.seed + "</div>";
html += '<div class="boir-character"><strong>Character:</strong> ' + cleanHtmlText(channelBoirData.character) + "</div>";
html += '<div class="boir-floor"><strong>Floor:</strong> ' + cleanHtmlText(channelBoirData.floor) + "</div>";
html += '<div class="boir-seed"><strong>Seed:</strong> ' + cleanHtmlText(channelBoirData.seed) + "</div>";
html += '<h3>Items</h3>';

html += '<div class="well boir-items items-container">';//<div class="row">';
Expand All @@ -754,13 +754,13 @@ function showChannelBoir() {
if (typeof channelBoirData.flyItems !== 'undefined' && typeof channelBoirData.flyProgress !== 'undefined') {
html += '<div class="col-md-6 text-center">';
html += '<h3>Lord of the Flies</h3>';
html += '<input type="text" class="dial js-boir-dial js-boir-dial-fly" value="' + channelBoirData.flyProgress + '">';
html += '<input type="text" class="dial js-boir-dial js-boir-dial-fly" value="' + cleanHtmlAttr(channelBoirData.flyProgress) + '">';

// html += '<h4>Items</h4>';
html += '<div class="row"><div class="col-sm-8 col-sm-offset-2"><ul class="list-group">'
for (var i = 0; i < channelBoirData.flyItems.length; i++) {
var item = channelBoirData.flyItems[i];
html += '<li class="list-group-item">' + item + '</li>';
html += '<li class="list-group-item">' + cleanHtmlText(item) + '</li>';
}
html += '</ul></div></div>';
html += '</div>';
Expand All @@ -769,13 +769,13 @@ function showChannelBoir() {
if (typeof channelBoirData.guppyItems !== 'undefined' && typeof channelBoirData.guppyProgress !== 'undefined') {
html += '<div class="col-md-6 text-center">';
html += '<h3>Guppy</h3>';
html += '<input type="text" class="dial js-boir-dial js-boir-dial-guppy" value="' + channelBoirData.guppyProgress + '">';
html += '<input type="text" class="dial js-boir-dial js-boir-dial-guppy" value="' + cleanHtmlAttr(channelBoirData.guppyProgress) + '">';

// html += '<h4>Items</h4>';
html += '<div class="row"><div class="col-sm-8 col-sm-offset-2"><ul class="list-group">'
for (var i = 0; i < channelBoirData.guppyItems.length; i++) {
var item = channelBoirData.guppyItems[i];
html += '<li class="list-group-item">' + item + '</li>';
html += '<li class="list-group-item">' + cleanHtmlText(item) + '</li>';
}
html += '</ul></div></div>';
}
Expand Down Expand Up @@ -965,6 +965,7 @@ function displayChannelReqsongs() {
}

function updateReqsongs() {
return true; //temporary disable
$.ajax({
data: {
a: "listReqsong",
Expand Down Expand Up @@ -1213,7 +1214,7 @@ $(document).ready(function() {
checkIfLiveChannel();
setInterval(checkIfLiveChannel, 30000);

$(".command").prepend('<span class="command-prefix">' + channelData.commandPrefix + '</span>');
$(".command").prepend('<span class="command-prefix">' + cleanHtmlText(channelData.commandPrefix) + '</span>');


var commandPrefixForUrl = channelData.commandPrefix;
Expand Down
20 changes: 17 additions & 3 deletions js/common.js
Expand Up @@ -24,6 +24,20 @@ function prettifyRegex(pattern) {
return pattern;
}

var cleanHtmlTextMap = {
"&": "&amp;",
"<": "&lt;",
">": "&gt;",
'"': '&quot;',
"'": '&#39;',
"/": '&#x2F;'
};

function cleanHtmlText(string) {
return String(string).replace(/[&<>"'\/]/g, function (s) {
return cleanHtmlTextMap[s];
});
}
function cleanHtmlAttr(val) {
return val.replace(/"/g, "&quot;");
}
Expand Down Expand Up @@ -164,9 +178,9 @@ function updateIsLive(streams, channels) {
var popover = isLiveTitles[liveStatus];
if (liveStatus == isLiveOn) {
popover = '<div class="islive-popover">';

popover += '<img src="'+stream.preview.medium+'" class="img-responsive" height="180" width="320">';

popover += '<i class="icon-gamepad"></i> ' + ((stream.channel.game) ? stream.channel.game : "Unknown") + '<br>';
popover += '<i class="icon-user"></i> ' + Humanize.intComma(stream.viewers) + '';
popover += '</div>';
Expand Down Expand Up @@ -209,4 +223,4 @@ function sortUnorderedList(selector) {
return (compA < compB) ? -1 : (compA > compB) ? 1 : 0;
})
$.each(listitems, function(idx, itm) { mylist.append(itm); })
}
}

0 comments on commit c1a6c44

Please sign in to comment.