XSS Fix

smpallen99 · Sep 10, 2018 · 569b849 · 569b849
1 parent e79de99
commit 569b849
Show file tree

Hide file tree

Showing 10 changed files with 376 additions and 318 deletions.
diff --git a/lib/ex_admin/helpers.ex b/lib/ex_admin/helpers.ex
@@ -49,12 +49,6 @@ defmodule ExAdmin.Helpers do
     end
   end
 
-  def build_link_for({:safe, _} = safe_contents, d, a, b, c) do
-    safe_contents
-    |> Phoenix.HTML.safe_to_string()
-    |> build_link_for(d, a, b, c)
-  end
-
   def build_link_for("", _, _, _, _), do: ""
   def build_link_for(nil, _, _, _, _), do: ""
   def build_link_for(contents, _, %{link: false}, _, _), do: contents
@@ -75,7 +69,12 @@ defmodule ExAdmin.Helpers do
   defp build_content_link(link?, conn, resource, contents) do
     if link? && ExAdmin.Utils.authorized_action?(conn, :show, resource) do
       path = admin_resource_path(resource, :show)
-      "<a href='#{path}'>#{contents}</a>"
+
+      markup do
+        a href: path do
+          contents
+        end
+      end
     else
       contents
     end
@@ -157,9 +156,9 @@ defmodule ExAdmin.Helpers do
       opts
       |> Map.delete(:fun)
       |> Map.delete(:image)
-      |> build_attributes
+      |> Enum.map(fn {key, value} -> {key, to_string(value)} end)
 
-    "<img src='#{fun.(resource)}'#{attributes} />"
+    Phoenix.HTML.Tag.content_tag(:img, nil, attributes ++ [src: fun.(resource)])
     |> build_link_for(conn, opts, resource, f_name)
   end
 
@@ -202,11 +201,8 @@ defmodule ExAdmin.Helpers do
   end
 
   def build_single_field(resource, conn, f_name, %{fun: fun} = opts) do
-    markup :nested do
-      case fun.(resource) do
-        [{_, list}] -> list
-        other -> other
-      end
+    markup do
+      fun.(resource)
     end
     |> build_link_for(conn, opts, resource, f_name)
   end

diff --git a/lib/ex_admin/index.ex b/lib/ex_admin/index.ex
@@ -360,10 +360,13 @@ defmodule ExAdmin.Index do
       else
         columns ++
           [
-            {"Actions", %{
-              fun: fn resource -> build_index_links(conn, resource, actions, page.page_number) end,
-              label: ExAdmin.Gettext.gettext("Actions")
-            }}
+            {"Actions",
+             %{
+               fun: fn resource ->
+                 build_index_links(conn, resource, actions, page.page_number)
+               end,
+               label: ExAdmin.Gettext.gettext("Actions")
+             }}
           ]
       end
 

diff --git a/lib/ex_admin/sidebar.ex b/lib/ex_admin/sidebar.ex
@@ -14,7 +14,7 @@ defmodule ExAdmin.Sidebar do
     end)
   end
 
-  def sidebar_view(_conn, %{sidebars: []}, _), do: ""
+  def sidebar_view(_conn, %{sidebars: []}, _), do: nil
 
   def sidebar_view(conn, %{sidebars: sidebars}, resource) do
     for sidebar <- sidebars do

diff --git a/lib/ex_admin/table.ex b/lib/ex_admin/table.ex
@@ -85,7 +85,9 @@ defmodule ExAdmin.Table do
 
           {f_name, opts} ->
             build_field(resource, conn, {f_name, Enum.into(opts, %{})}, fn contents, f_name ->
-              td(".td-#{parameterize(f_name)} #{contents}")
+              td ".td-#{parameterize(f_name)}" do
+                contents
+              end
             end)
         end
       end
@@ -111,7 +113,14 @@ defmodule ExAdmin.Table do
   end
 
   def do_panel(conn, columns \\ [], table_opts \\ [], output \\ [])
-  def do_panel(_conn, [], _table_opts, output), do: Enum.join(Enum.reverse(output))
+
+  def do_panel(_conn, [], _table_opts, output),
+    do:
+      output
+      |> Enum.reverse()
+      |> Enum.map(&Phoenix.HTML.safe_to_string(Phoenix.HTML.html_escape(&1)))
+      |> Enum.join()
+      |> Phoenix.HTML.raw()
 
   def do_panel(
         conn,
@@ -258,60 +267,68 @@ defmodule ExAdmin.Table do
   end
 
   def handle_contents(%Ecto.DateTime{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%DateTime{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%NaiveDateTime{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%Ecto.Time{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%Ecto.Date{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%Time{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%Date{} = dt, field_name) do
-    td class: to_class("td-", field_name) do
-      text(to_string(dt))
+    markup do
+      td class: to_class("td-", field_name) do
+        text(to_string(dt))
+      end
     end
   end
 
   def handle_contents(%{}, _field_name), do: []
 
-  def handle_contents(contents, field_name) when is_binary(contents) do
-    td to_class(".td-", field_name) do
-      text(contents)
-    end
-  end
-
-  def handle_contents({:safe, contents}, field_name) do
-    handle_contents(contents, field_name)
-  end
-
   def handle_contents(contents, field_name) do
-    td(to_class(".td-", field_name), contents)
+    markup do
+      td to_class(".td-", field_name) do
+        contents
+      end
+    end
   end
 end