Immediate fix to htmlEncode user added text (#5570)

There are likely problems remaining with the way that initCommentForm is creating its elements. I suspect that a malformed avatar url could be used maliciously.
author: zeripath <art27@cantab.net> 2018-12-21 13:40:40 +0000
committer: techknowlogick <hello@techknowlogick.com> 2018-12-21 08:40:40 -0500
commit: 330bf8d3b3128096485f65e5e0d790bde2adc007 (patch)
tree: 667ca96e8f158bec9ccdba9129ccbd3f4d51dead /public
parent: 4a02a783c43fef86a5345770e109830e23b68111 (diff)
download: gitea-330bf8d3b3128096485f65e5e0d790bde2adc007.tar.gz
gitea-330bf8d3b3128096485f65e5e0d790bde2adc007.zip
1 files changed, 9 insertions, 5 deletions
diff --git a/public/js/index.js b/public/js/index.js
index d65419f2ac..3d078a9848 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -1,5 +1,9 @@
 'use strict';
 
+function htmlEncode(text) {
+   return jQuery('<div />').text(text).html()
+}
+
 var csrf;
 var suburl;
 
@@ -394,12 +398,12 @@ function initCommentForm() {
             switch (input_id) {
                 case '#milestone_id':
                     $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
-                        $(this).text() + '</a>');
+                        htmlEncode($(this).text()) + '</a>');
                     break;
                 case '#assignee_id':
                     $list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
                         '<img class="ui avatar image" src=' + $(this).data('avatar') + '>' +
-                        $(this).text() + '</a>');
+                        htmlEncode($(this).text()) + '</a>');
             }
             $('.ui' + select_id + '.list .no-select').addClass('hide');
             $(input_id).val($(this).data('id'));
@@ -1538,7 +1542,7 @@ function searchUsers() {
                 $.each(response.data, function (i, item) {
                     var title = item.login;
                     if (item.full_name && item.full_name.length > 0) {
-                        title += ' (' + item.full_name + ')';
+                        title += ' (' + htmlEncode(item.full_name) + ')';
                     }
                     items.push({
                         title: title,
@@ -2692,7 +2696,7 @@ function initTopicbar() {
                 if (res.topics) {
                     formattedResponse.success = true;
                     for (var i=0;i < res.topics.length;i++) {
-                        formattedResponse.results.push({"description": res.topics[i].Name, "data-value":res.topics[i].Name})
+                        formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name})
                     }
                 }
 
@@ -2813,7 +2817,7 @@ function initIssueList() {
                     // Parse the response from the api to work with our dropdown
                     $.each(response, function(index, issue) {
                         filteredResponse.results.push({
-                            'name'  : '#' + issue.number + '&nbsp;' + issue.title,
+                            'name'  : '#' + issue.number + '&nbsp;' + htmlEncode(issue.title),
                             'value' : issue.id
                         });
                     });
author	zeripath <art27@cantab.net>	2018-12-21 13:40:40 +0000
committer	techknowlogick <hello@techknowlogick.com>	2018-12-21 08:40:40 -0500
commit	330bf8d3b3128096485f65e5e0d790bde2adc007 (patch)
tree	667ca96e8f158bec9ccdba9129ccbd3f4d51dead /public
parent	4a02a783c43fef86a5345770e109830e23b68111 (diff)
download	gitea-330bf8d3b3128096485f65e5e0d790bde2adc007.tar.gz gitea-330bf8d3b3128096485f65e5e0d790bde2adc007.zip