Sprint 1: Frontend: API gesichert vor XSS

User-Eingaben (Parameter aus GET/URLs) werden nur genutzt wenn diese Alpha-Numerisch + Unterstrich + Bindestrich sind.
s134328 · May 11, 2015 · 2aa760f · 2aa760f
1 parent f0b33e5
commit 2aa760f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/p05-integration/app/shared/api/apiService.js b/p05-integration/app/shared/api/apiService.js
@@ -40,7 +40,7 @@ ngApp.factory('apiService', ['$http', '$localStorage',function($http, $localStor
 	 * @function get
 	 * @memberOf app.api.apiService
 	 * @param {string} URL
-	 * @returns
+	 * @returns nothing
 	 */
 	var get = function(url, fn, callback) {
 		var now = new Date(); // current date and time
@@ -66,6 +66,25 @@ ngApp.factory('apiService', ['$http', '$localStorage',function($http, $localStor
 		}		
 	};
 
+	/**
+	 * Decode the string into a safe placeholder.
+	 * If it contains unsafe characters an empty string will be returned.
+	 * 
+	 * @private
+	 * @function placeholder
+	 * @memberOf app.api.apiService
+	 * @param {string} placeholder - A maybe unsafe placeholder used in an $http Request
+	 * @returns {string} Safe Placeholder
+	 */
+	var safe = function(placeholder) {
+		var reg = /^[a-zA-Z0-9\-_]+$/;
+		if(reg.test) {
+			return placeholder;
+		} else {
+			return "";
+		}
+	};
+
 	return {
 		/**
 		 * URL to the API
@@ -100,7 +119,7 @@ ngApp.factory('apiService', ['$http', '$localStorage',function($http, $localStor
 		 */
 		listCountries: function(callback) {
 			get('api/JSON_Dummies/Countries.json', 'listCountries', callback);
-			///get(this.url + "?apikey=" + this.apikey + "&lang=" + this.lang, 'listCountries', callback);
+			///get(this.url + '?apikey=' + this.apikey + '&lang=' + this.lang, 'listCountries', callback);
 		},
 
 		/**
@@ -114,7 +133,7 @@ ngApp.factory('apiService', ['$http', '$localStorage',function($http, $localStor
 		 */
 		listCities: function(country, callback) {
 			get('api/JSON_Dummies/Cities_Germany.json', 'listCities', callback);
-			//get('this.url + "?apikey=" + this.apikey + "&lang=" + this.lang + "&country=" + country', 'listCities', callback);
+			//get(this.url + '?apikey=' + this.apikey + '&lang=' + this.lang + '&country=' + safe(country), 'listCities', callback);
 		},
 
 		/**
@@ -129,7 +148,7 @@ ngApp.factory('apiService', ['$http', '$localStorage',function($http, $localStor
 		 */
 		listPlacesByCity: function(country, city, callback) {
 			get('api/JSON_Dummies/Lokale_Leipzig.json', 'listPlacesByCity',  callback);
-			//get(this.url + "?apikey=" + this.apikey + "&lang=" + this.lang + "&country=" + country + "&city=" + city',  callback);
+			//get(this.url + '?apikey=' + this.apikey + '&lang=' + this.lang + '&country=' + safe(country) + '&city=' + safe(city),  callback);
 		}
 	};
 }]);
diff --git a/p05-integration/cache.manifest b/p05-integration/cache.manifest
@@ -1,5 +1,5 @@
 CACHE MANIFEST
-# rev 20150511-0746
+# rev 20150511-0827
 
 CACHE:
 assets/css/veganguide.css