Merge pull request #799 from dereklieu/xss-bug-fix

XSS bug fix

app/views/file.js

@@ -303,7 +303,7 @@ module.exports = Backbone.View.extend({
       }
     }).bind(this));
 
-    return content;
+    return _.escape(content);
   },
 
   initEditor: function() {
@@ -651,14 +651,14 @@ module.exports = Backbone.View.extend({
       metadata = this.model.get('metadata') || {};
       content = this.model.get('content') || '';
     }
-    
+
     // Run the liquid parsing.
     var parsedTemplate = Liquid.parse(this.compilePreview(content)).render({
       site: this.collection.config,
       post: metadata,
       page: metadata
     });
-    
+
     // If it's markdown, run it through marked; otherwise, leave it alone.
     if(this.model.get('markdown'))  parsedTemplate = marked(parsedTemplate);
 

app/views/header.js

@@ -53,11 +53,11 @@ module.exports = Backbone.View.extend({
       avatar: avatar,
       repo: this.repo ? this.repo.attributes : undefined,
       isPrivate: isPrivate,
-      input: this.input,
-      path: path,
+      input: _.escape(this.input),
+      path: _.escape(path),
       placeholder: this.placeholder,
       user: user,
-      title: title,
+      title: _.escape(title),
       mode: this.title ? 'title' : 'path',
       translate: this.file ? this.file.get('translate') : undefined
     };

app/views/sidebar/branch.js

@@ -15,7 +15,7 @@ module.exports = Backbone.View.extend({
     this.$el.val('#' + [ this.repo.get('owner').login, this.repo.get('name'), 'tree', this.model.get('name') ].join('/'));
     this.el.selected = this.branch && this.branch === this.model.get('name');
 
-    this.$el.html(this.model.get('name'));
+    this.$el.html(_.escape(this.model.get('name')));
 
     return this;
   }

templates/li/file.html

@@ -1,8 +1,8 @@
 <% if (file.binary) { %>
-  <div class='listing-icon icon round <%= file.extension %> <% if (file.media) { %>media<% } %>'></div>
+  <div class='listing-icon icon round <%- file.extension %> <% if (file.media) { %>media<% } %>'></div>
 <% } else { %>
-  <a href='#<%= file.repo.owner.login %>/<%= file.repo.name %>/edit/<%= file.branch %>/<%= file.path %>' class='listing-icon'>
-    <span class='icon round <%= file.extension %> <% if (file.markdown) { %> md<% } %> <% if (file.media) { %> media<% } %>'></span>
+  <a href='#<%= file.repo.owner.login %>/<%= file.repo.name %>/edit/<%- file.branch %>/<%- file.path %>' class='listing-icon'>
+    <span class='icon round <%- file.extension %> <% if (file.markdown) { %> md<% } %> <% if (file.media) { %> media<% } %>'></span>
   </a>
 <% } %>
 
@@ -11,7 +11,7 @@
     <% if (!file.binary) { %>
       <a class='clearfix'
         title="<%= t('main.repo.edit') %>"
-        href='#<%= file.repo.owner.login %>/<%= file.repo.name %>/edit/<%= file.branch %>/<%= file.path %>'>
+        href='#<%= file.repo.owner.login %>/<%= file.repo.name %>/edit/<%- file.branch %>/<%- file.path %>'>
         <%= t('main.repo.edit') %>
       </a>
     <% } %>
@@ -25,9 +25,9 @@
     <% } %>
   </div>
   <% if (file.binary) { %>
-    <h3 class='title' title='<%= file.name %>'><%= file.name %></h3>
+    <h3 class='title' title='<%- file.name %>'><%- file.name %></h3>
   <% } else { %>
-    <h3 class='title' title='<%= file.name %>'><a class='clearfix'href='#<%= file.repo.owner.login %>/<%= file.repo.name %>/edit/<%= file.branch %>/<%= file.path %>'><%= file.name %></a></h3>
+    <h3 class='title' title='<%- file.name %>'><a class='clearfix'href='#<%= file.repo.owner.login %>/<%= file.repo.name %>/edit/<%- file.branch %>/<%- file.path %>'><%- file.name %></a></h3>
   <% } %>
-  <span class='deemphasize'><%= file.jailpath %></span>
+  <span class='deemphasize'><%- file.jailpath %></span>
 </div>

templates/li/folder.html

@@ -5,8 +5,8 @@
 <span class='details'>
   <h3 class='title' title='<%= folder.name %>'>
     <a href='#<%= folder.repo.owner.login %>/<%= folder.repo.name %>/tree/<%= folder.branch %>/<%= folder.path %>'>
-      <%= folder.name %>
+      <%- folder.name %>
     </a>
   </h3>
-  <span class='deemphasize'><%= folder.jailpath %></span>
+  <span class='deemphasize'><%- folder.jailpath %></span>
 </span>

templates/sidebar/li/commit.html

@@ -1,4 +1,4 @@
-<a class='<%= data.status %>' href='#<%= [data.repo.owner.login, data.repo.name, data.mode, data.branch, data.path].join("/") %>'>
+<a class='<%= data.status %>' href='#<%- [data.repo.owner.login, data.repo.name, data.mode, data.branch, data.path].join("/") %>'>
   <span class='ico small inline <%= data.status %>'></span>
-  <span class='message'><%= data.file.filename %></span>
+  <span class='message'><%- data.file.filename %></span>
 </a>

test/spec/views/file.js

@@ -5,17 +5,17 @@ var FileView = require('../../../app/views/file'),
     mockFile = require('../../mocks/models/file'),
     mockApp = require('../../mocks/views/app'),
     mockRouter = require('../../mocks/router');
-    
+
 
 describe('File view', function() {
   var fileView;
-  
+
   beforeEach(function() {
     mockApp.reset(); // reset the DI state between tests.
   });
-  
+
   describe('in edit mode', function() {
-    
+
     beforeEach(function() {
       fileView = new FileView({
         app: mockApp(),
@@ -30,15 +30,15 @@ describe('File view', function() {
         sidebar: mockApp().sidebar
       });
     });
-    
+
     it('creates the CodeMirror editor', function() {
       fileView.model = mockFile()
       fileView.collection = fileView.model.collection;
       fileView.render();
-      
+
       expect(fileView.editor).to.be.ok;
     })
-    
+
     it('initializes CodeMirror with the file\'s contents', function() {
       var content = 'the file contents';
       fileView.model = mockFile(content)
@@ -47,5 +47,12 @@ describe('File view', function() {
       expect(fileView.editor.getValue()).to.equal(content)
     })
   });
-
+
+  describe('in preview mode', function() {
+      it('escapes script tags when compiling preview', function() {
+          var content = "<script>alert('pwned')</script>";
+          expect(fileView.compilePreview(content)).to.equal('&lt;script&gt;alert(&#x27;pwned&#x27;)&lt;&#x2F;script&gt;');
+      });
+  });
+
 });