Permalink
Browse files

Fix a comment vulnerability allowing scripts to be loaded.

Due to the way that comments were loaded in, it was possible to
terminate a script and inject a new one while loading the diff viewer.
This isn't believed to have been a problem in the wild, but is certainly
an important one to fix.

We now ensure that the text is escaped at the point where it's being fed
into the JavaScript. It's no longer possible to inject scripts.

Thanks to Damian Johnson for the heads up and for the fix that this
change is based on.

This will be going into 1.5.7 and 1.6.3 releases.
  • Loading branch information...
chipx86 committed Nov 15, 2011
1 parent 9b789e4 commit 7a0a9d94555502278534dedcf2d75e9fccce8c3d
@@ -160,6 +160,9 @@ function DiffCommentBlock(beginRow, endRow, beginLineNum, endLineNum,
for (var i in comments) {
var comment = comments[i];
// We load in encoded text, so decode it.
comment.text = $("<div/>").html(comment.text).text();
if (comment.localdraft) {
this._createDraftComment(comment.text);
} else {
@@ -36,6 +36,9 @@ function CommentBlock(x, y, width, height, container, comments) {
for (var i in comments) {
var comment = comments[i];
// We load in encoded text, so decode it.
comment.text = $("<div/>").html(comment.text).text();
if (comment.localdraft) {
this._createDraftComment(comment.text);
} else {
@@ -4,6 +4,7 @@
from django.template import NodeList, TemplateSyntaxError
from django.template.loader import render_to_string
from django.utils import simplejson
from django.utils.html import escape
from django.utils.translation import ugettext_lazy as _
from djblets.util.decorators import basictag, blocktag
from djblets.util.misc import get_object_or_none
@@ -126,7 +127,7 @@ def commentcounts(context, filediff, interfilediff=None):
comment_dict.setdefault(key, []).append({
'comment_id': comment.id,
'text': comment.text,
'text': escape(comment.text),
'line': comment.first_line,
'num_lines': comment.num_lines,
'user': {
@@ -185,7 +186,7 @@ def screenshotcommentcounts(context, screenshot):
comments.setdefault(position, []).append({
'id': comment.id,
'text': comment.text,
'text': escape(comment.text),
'user': {
'username': review.user.username,
'name': review.user.get_full_name() or review.user.username,

0 comments on commit 7a0a9d9

Please sign in to comment.