From aaf9f16a01a563e625f7388e03f205b933d9db42 Mon Sep 17 00:00:00 2001 From: Tommy Yu Date: Thu, 11 Feb 2016 20:36:31 +1300 Subject: [PATCH 1/3] Demonstrate XSS vulnerability. --- mockup/tests/pattern-relateditems-test.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/mockup/tests/pattern-relateditems-test.js b/mockup/tests/pattern-relateditems-test.js index d99698976..2daea1d50 100644 --- a/mockup/tests/pattern-relateditems-test.js +++ b/mockup/tests/pattern-relateditems-test.js @@ -56,7 +56,8 @@ define([ var staff = [ {UID: 'asdfasdf9sdf', Title: 'Mike', path: '/about/staff/mike', portal_type: 'Document', getIcon: ""}, - {UID: 'cvbcvb82345', Title: 'Joe', path: '/about/staff/joe', portal_type: 'Document', getIcon: ""} + {UID: 'cvbcvb82345', Title: 'Joe', path: '/about/staff/joe', portal_type: 'Document', getIcon: ""}, + {UID: 'hax0r', Title: '', path: '/about/staff/xss', portal_type: 'Document', getIcon: ""} ]; var addMissingFields = function(item) { @@ -208,7 +209,7 @@ define([ pattern.$el.select2('open'); clock.tick(1000); expect(pattern.$el.select2('data')).to.have.length(0); - expect($('.pattern-relateditems-result-select')).to.have.length(13); + expect($('.pattern-relateditems-result-select')).to.have.length(14); $('.pattern-relateditems-result-select').first().on('click', function() { expect(pattern.$el.select2('data')).to.have.length(1); expect(pattern.$el.select2('val')[0]).to.equal('gfn5634f'); @@ -336,7 +337,7 @@ define([ pattern.$el.select2('open'); clock.tick(1000); expect(pattern.$el.select2('data')).to.have.length(0); - expect($('.pattern-relateditems-result-select')).to.have.length(13); + expect($('.pattern-relateditems-result-select')).to.have.length(14); $('.pattern-relateditems-result-path') .filter(function() { return $(this).text() === '/about'; }) .click(); @@ -368,6 +369,8 @@ define([ var $crumbs = $('.pattern-relateditems-path a.crumb'); // /about/staff expect($crumbs).to.have.length(3); + // Staff XSS bomb + expect(window.xss).not.equal(1); // /about $crumbs.eq(1).on('click', function() { }).click(); From a1d55bc2c1c8aaf23b1c96101f6e18c1b0936fd1 Mon Sep 17 00:00:00 2001 From: Tommy Yu Date: Thu, 11 Feb 2016 20:40:54 +1300 Subject: [PATCH 2/3] Correct XSS issue in relateditems. --- mockup/patterns/relateditems/pattern.js | 27 ++++++++++++++----------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/mockup/patterns/relateditems/pattern.js b/mockup/patterns/relateditems/pattern.js index 86b3ef7f7..08b87fe97 100644 --- a/mockup/patterns/relateditems/pattern.js +++ b/mockup/patterns/relateditems/pattern.js @@ -6,9 +6,9 @@ * basePath(string): If this is set the widget will start in "Browse" mode and will pass the path to the server to filter the results. ('/') * rootPath(string): If this is set the widget will only display breadcrumb path elements deeprt than this path. * mode(string): Possible values: 'search', 'browse'. If set to 'search', the catalog is searched for a searchterm. If set to 'browse', browsing starts at basePath. Default: 'search'. - * breadCrumbTemplate(string): Template to use for a single item in the breadcrumbs. ('/<%= text %>') + * breadCrumbTemplate(string): Template to use for a single item in the breadcrumbs. ('/<%- text %>') * breadCrumbTemplateSelector(string): Select an element from the DOM from which to grab the breadCrumbTemplate. (null) - * breadCrumbsTemplate(string): Template for element to which breadCrumbs will be appended. ('<%= searchText %><%= items %>') + * breadCrumbsTemplate(string): Template for element to which breadCrumbs will be appended. ('<%- searchText %><%- items %>') * breadCrumbsTemplateSelector(string): Select an element from the DOM from which to grab the breadCrumbsTemplate. (null) * cache(boolean): Whether or not results from the server should be * cached. (true) @@ -111,23 +111,23 @@ define([ resultTemplate: '' + '
' + ' ' + - ' <% if (typeof getIcon !== "undefined" && getIcon) { %> <% } %>' + - ' state-<%= review_state %> <% } %> " /span>' + - ' <%= Title %>' + - ' <%= path %>' + + ' <% if (typeof getIcon !== "undefined" && getIcon) { %> <% } %>' + + ' state-<%- review_state %> <% } %> " /span>' + + ' <%- Title %>' + + ' <%- path %>' + ' ' + ' ' + ' <% if (is_folderish) { %>' + - ' ' + + ' ' + ' <% } %>' + ' ' + '
', resultTemplateSelector: null, selectionTemplate: '' + '' + - ' <% if (typeof getIcon !== "undefined" && getIcon) { %> <% } %>' + - ' state-<%= review_state %> <% } %>" ><%= Title %>' + - ' <%= path %>' + + ' <% if (typeof getIcon !== "undefined" && getIcon) { %> <% } %>' + + ' state-<%- review_state %> <% } %>" ><%- Title %>' + + ' <%- path %>' + '', selectionTemplateSelector: null, breadCrumbsTemplate: '' + @@ -144,12 +144,15 @@ define([ '' + '' + '' + - '<%= searchText %><%= items %>' + + '<%- searchText %>' + + '' + + // ``items assumed to be santized html`` + '<%= items %>' + '' + '', breadCrumbsTemplateSelector: null, breadCrumbTemplate: '' + - '/<%= text %>', + '/<%- text %>', breadCrumbTemplateSelector: null, escapeMarkup: function(text) { return text; From 925561f042b96404b26e04d5575e18c78d15fd97 Mon Sep 17 00:00:00 2001 From: Tommy Yu Date: Thu, 11 Feb 2016 20:49:21 +1300 Subject: [PATCH 3/3] Note this in changelog - Also for the structure selection well XSS fix. --- CHANGES.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index d8e95277a..d7998a792 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -26,6 +26,9 @@ Fixes: - Fix path widgets initialization in querystring pattern. [Gagaro] +- Fix XSS vulnerability issues in structure and relateditem pattern. + [metatoaster] + 2.1.2 (2016-01-08) ------------------