From 7a0a9d94555502278534dedcf2d75e9fccce8c3d Mon Sep 17 00:00:00 2001
From: Christian Hammond <chipx86@chipx86.com>
Date: Tue, 15 Nov 2011 02:46:40 -0800
Subject: [PATCH] Fix a comment vulnerability allowing scripts to be loaded.

Due to the way that comments were loaded in, it was possible to
terminate a script and inject a new one while loading the diff viewer.
This isn't believed to have been a problem in the wild, but is certainly
an important one to fix.

We now ensure that the text is escaped at the point where it's being fed
into the JavaScript. It's no longer possible to inject scripts.

Thanks to Damian Johnson for the heads up and for the fix that this
change is based on.

This will be going into 1.5.7 and 1.6.3 releases.
---
 reviewboard/htdocs/media/rb/js/diffviewer.js   | 3 +++
 reviewboard/htdocs/media/rb/js/screenshots.js  | 3 +++
 reviewboard/reviews/templatetags/reviewtags.py | 5 +++--
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/reviewboard/htdocs/media/rb/js/diffviewer.js b/reviewboard/htdocs/media/rb/js/diffviewer.js
index ce96de6062..abc94b5e10 100644
--- a/reviewboard/htdocs/media/rb/js/diffviewer.js
+++ b/reviewboard/htdocs/media/rb/js/diffviewer.js
@@ -160,6 +160,9 @@ function DiffCommentBlock(beginRow, endRow, beginLineNum, endLineNum,
         for (var i in comments) {
             var comment = comments[i];
 
+            // We load in encoded text, so decode it.
+            comment.text = $("<div/>").html(comment.text).text();
+
             if (comment.localdraft) {
                 this._createDraftComment(comment.text);
             } else {
diff --git a/reviewboard/htdocs/media/rb/js/screenshots.js b/reviewboard/htdocs/media/rb/js/screenshots.js
index 896e2ac11a..7a40e3d3b9 100644
--- a/reviewboard/htdocs/media/rb/js/screenshots.js
+++ b/reviewboard/htdocs/media/rb/js/screenshots.js
@@ -36,6 +36,9 @@ function CommentBlock(x, y, width, height, container, comments) {
         for (var i in comments) {
             var comment = comments[i];
 
+            // We load in encoded text, so decode it.
+            comment.text = $("<div/>").html(comment.text).text();
+
             if (comment.localdraft) {
                 this._createDraftComment(comment.text);
             } else {
diff --git a/reviewboard/reviews/templatetags/reviewtags.py b/reviewboard/reviews/templatetags/reviewtags.py
index 81071dc12b..2eb988e9ce 100644
--- a/reviewboard/reviews/templatetags/reviewtags.py
+++ b/reviewboard/reviews/templatetags/reviewtags.py
@@ -4,6 +4,7 @@
 from django.template import NodeList, TemplateSyntaxError
 from django.template.loader import render_to_string
 from django.utils import simplejson
+from django.utils.html import escape
 from django.utils.translation import ugettext_lazy as _
 from djblets.util.decorators import basictag, blocktag
 from djblets.util.misc import get_object_or_none
@@ -126,7 +127,7 @@ def commentcounts(context, filediff, interfilediff=None):
 
             comment_dict.setdefault(key, []).append({
                 'comment_id': comment.id,
-                'text': comment.text,
+                'text': escape(comment.text),
                 'line': comment.first_line,
                 'num_lines': comment.num_lines,
                 'user': {
@@ -185,7 +186,7 @@ def screenshotcommentcounts(context, screenshot):
 
             comments.setdefault(position, []).append({
                 'id': comment.id,
-                'text': comment.text,
+                'text': escape(comment.text),
                 'user': {
                     'username': review.user.username,
                     'name': review.user.get_full_name() or review.user.username,