Skip to content
This repository has been archived by the owner on Mar 6, 2019. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Fix lack of escaping (and so XSS vuln.) in select2 calls
The invocation of Jquery select2 to provide searchable dropdowns
didn't sanitise data coming fom lookup, with the result that any
HTML markup it contained, including <script>...</script>, was
interpreted.

The documentation is difficult to follow, but indications are that the
formater functions (at least formatResult and formatSelection), if
overriden have to do their own escaping of data as necessary. They are
however passed the current global 'escapeMarkup' function as their
final parameter.
  • Loading branch information
Jon Warbrick committed Sep 14, 2016
1 parent 959dece commit 5e25e47
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 28 deletions.
12 changes: 5 additions & 7 deletions ucamlookup/templates/admin/auth/lookup_group/add_form.html
Expand Up @@ -47,20 +47,18 @@
return {results: data.groups};
}
},
formatResult: function(group) {
return group.title;
formatResult: function(group, container, query, escapeMarkup) {
return escapeMarkup(group.title);
},
formatSelection: function(group) {
return group.title;
formatSelection: function(group, container, escapeMarkup) {
return escapeMarkup(group.title);
},
id: function(group) {
return group.groupid;
},
dropdownCssClass: "bigdrop", // apply css that makes the dropdown taller
escapeMarkup: function (m) { return m; },
// we do not want to escape markup since we are displaying html in results
width: '100%'
});
});
</script>
{% endblock %}
{% endblock %}
12 changes: 5 additions & 7 deletions ucamlookup/templates/admin/auth/lookup_user/add_form.html
Expand Up @@ -46,20 +46,18 @@
return {results: data.persons};
}
},
formatResult: function(person) {
return person.visibleName+" ("+person.crsid+") ";
formatResult: function(person, container, query, escapeMarkup) {
return escapeMarkup(person.visibleName+" ("+person.crsid+") ");
},
formatSelection: function(person) {
return person.visibleName+" ("+person.crsid+") ";
formatSelection: function(person, container, escapeMarkup) {
return escapeMarkup(person.visibleName+" ("+person.crsid+") ");
},
id: function(person) {
return person.crsid;
},
dropdownCssClass: "bigdrop", // apply css that makes the dropdown taller
escapeMarkup: function (m) { return m; },
// we do not want to escape markup since we are displaying html in results
width: '50%'
});
});
</script>
{% endblock %}
{% endblock %}
12 changes: 5 additions & 7 deletions ucamlookup/templates/ucamlookup_groups.html
Expand Up @@ -25,18 +25,16 @@
return {results: data.groups};
}
},
formatResult: function(group) {
return group.title;
formatResult: function(group, container, query, escapeMarkup) {
return escapeMarkup(group.title);
},
formatSelection: function(group) {
return group.title;
formatSelection: function(group, container, escapeMarkup) {
return escapeMarkup(group.title);
},
id: function(group) {
return group.groupid;
},
dropdownCssClass: "bigdrop", // apply css that makes the dropdown taller
escapeMarkup: function (m) { return m; }
// we do not want to escape markup since we are displaying html in results
});

$("#{{ input_tag_id }}").select2("data", [
Expand All @@ -48,4 +46,4 @@
{% endfor %}
]);
});
</script>
</script>
12 changes: 5 additions & 7 deletions ucamlookup/templates/ucamlookup_users.html
Expand Up @@ -25,18 +25,16 @@
return {results: data.persons};
}
},
formatResult: function(person) {
return person.visibleName+" ("+person.crsid+") ";
formatResult: function(person, container, wuery, escapeMarkup) {
return escapeMarkup(person.visibleName+" ("+person.crsid+") ");
},
formatSelection: function(person) {
return person.visibleName+" ("+person.crsid+") ";
formatSelection: function(person, container, escapeMarkup) {
return escapeMarkup(person.visibleName+" ("+person.crsid+") ");
},
id: function(person) {
return person.crsid;
},
dropdownCssClass: "bigdrop", // apply css that makes the dropdown taller
escapeMarkup: function (m) { return m; }
// we do not want to escape markup since we are displaying html in results
});

$("#{{ input_tag_id }}").select2("data", [
Expand All @@ -51,4 +49,4 @@
{% endfor %}
]);
});
</script>
</script>

0 comments on commit 5e25e47

Please sign in to comment.