From fb44df981581354bf23a6928427ad2bf73c4550f Mon Sep 17 00:00:00 2001 From: Marc Hartmayer Date: Sun, 7 Jun 2020 22:58:56 +0200 Subject: WIP: XSS fixes --- client/components/activities/activities.jade | 56 ++++++++++++------------ client/components/activities/activities.js | 28 ++++++++---- client/components/rules/actions/cardActions.jade | 2 +- 3 files changed, 48 insertions(+), 38 deletions(-) (limited to 'client') diff --git a/client/components/activities/activities.jade b/client/components/activities/activities.jade index c86936a0..77acd6a3 100644 --- a/client/components/activities/activities.jade +++ b/client/components/activities/activities.jade @@ -34,38 +34,38 @@ template(name="activity") //- board activity ------------------------------------------------------ if($eq mode 'board') if($eq activity.activityType 'createBoard') - | {{_ 'activity-created' boardLabel}}. + | {{{_ 'activity-created' boardLabelLink}}}. if($eq activity.activityType 'importBoard') - | {{{_ 'activity-imported-board' boardLabel sourceLink}}}. + | {{{_ 'activity-imported-board' boardLabelLink sourceLink}}}. if($eq activity.activityType 'addBoardMember') - | {{{_ 'activity-added' memberLink boardLabel}}}. + | {{{_ 'activity-added' memberLink boardLabelLink}}}. if($eq activity.activityType 'removeBoardMember') - | {{{_ 'activity-excluded' memberLink boardLabel}}}. + | {{{_ 'activity-excluded' memberLink boardLabelLink}}}. //- card activity ------------------------------------------------------- if($eq activity.activityType 'createCard') if($eq mode 'card') - | {{{_ 'activity-added' cardLabel activity.listName}}}. + | {{{_ 'activity-added' cardLabelLink (sanitize activity.listName)}}}. else - | {{{_ 'activity-added' cardLabel boardLabel}}}. + | {{{_ 'activity-added' cardLabelLink boardLabelLink}}}. if($eq activity.activityType 'importCard') - | {{{_ 'activity-imported' cardLink boardLabel sourceLink}}}. + | {{{_ 'activity-imported' cardLink boardLabelLink sourceLink}}}. if($eq activity.activityType 'moveCard') - | {{{_ 'activity-moved' cardLabel activity.oldList.title activity.list.title}}}. + | {{{_ 'activity-moved' cardLabelLink (sanitize activity.oldList.title) (sanitize activity.list.title)}}}. if($eq activity.activityType 'moveCardBoard') - | {{{_ 'activity-moved' cardLink activity.oldBoardName activity.boardName}}}. + | {{{_ 'activity-moved' cardLink (sanitize activity.oldBoardName) (sanitize activity.boardName)}}}. if($eq activity.activityType 'archivedCard') | {{{_ 'activity-archived' cardLink}}}. if($eq activity.activityType 'restoredCard') - | {{{_ 'activity-sent' cardLink boardLabel}}}. + | {{{_ 'activity-sent' cardLink boardLabelLink}}}. //- checklist activity -------------------------------------------------- if($eq activity.activityType 'addChecklist') @@ -83,25 +83,25 @@ template(name="activity") | {{{_ 'activity-checklist-removed' cardLink}}}. if($eq activity.activityType 'completeChecklist') - | {{{_ 'activity-checklist-completed' activity.checklist.title cardLink}}}. + | {{{_ 'activity-checklist-completed' (sanitize activity.checklist.title) cardLink}}}. if($eq activity.activityType 'uncompleteChecklist') - | {{{_ 'activity-checklist-uncompleted' activity.checklist.title cardLink}}}. + | {{{_ 'activity-checklist-uncompleted' (sanitize activity.checklist.title) cardLink}}}. if($eq activity.activityType 'checkedItem') - | {{{_ 'activity-checked-item' checkItem activity.checklist.title cardLink}}}. + | {{{_ 'activity-checked-item' (sanitize checkItem) (sanitize activity.checklist.title) cardLink}}}. if($eq activity.activityType 'uncheckedItem') - | {{{_ 'activity-unchecked-item' checkItem activity.checklist.title cardLink}}}. + | {{{_ 'activity-unchecked-item' (sanitize checkItem) (sanitize activity.checklist.title) cardLink}}}. if($eq activity.activityType 'addChecklistItem') - | {{{_ 'activity-checklist-item-added' activity.checklist.title cardLink}}}. + | {{{_ 'activity-checklist-item-added' (sanitize activity.checklist.title) cardLink}}}. .activity-checklist(href="{{ activity.card.absoluteUrl }}") +viewer = activity.checklistItem.title if($eq activity.activityType 'removedChecklistItem') - | {{{_ 'activity-checklist-item-removed' activity.checklist.title cardLink}}}. + | {{{_ 'activity-checklist-item-removed' (sanitize activity.checklist.title) cardLink}}}. //- comment activity ---------------------------------------------------- if($eq mode 'card') @@ -143,31 +143,31 @@ template(name="activity") | {{_ 'activity-customfield-created' customField}}. if($eq activity.activityType 'setCustomField') - | {{{_ 'activity-set-customfield' lastCustomField lastCustomFieldValue cardLink}}}. + | {{{_ 'activity-set-customfield' (sanitize lastCustomField) (sanitize lastCustomFieldValue) cardLink}}}. if($eq activity.activityType 'unsetCustomField') - | {{{_ 'activity-unset-customfield' lastCustomField cardLink}}}. + | {{{_ 'activity-unset-customfield' (sanitize lastCustomField) cardLink}}}. //- label activity ------------------------------------------------------ if($eq activity.activityType 'addedLabel') - | {{{_ 'activity-added-label' lastLabel cardLink}}}. + | {{{_ 'activity-added-label' (sanitize lastLabel) cardLink}}}. if($eq activity.activityType 'removedLabel') - | {{{_ 'activity-removed-label' lastLabel cardLink}}}. + | {{{_ 'activity-removed-label' (sanitize lastLabel) cardLink}}}. //- list activity ------------------------------------------------------- if($neq mode 'card') if($eq activity.activityType 'createList') - | {{{_ 'activity-added' listLabel boardLabel}}}. + | {{{_ 'activity-added' (sanitize listLabel) boardLabelLink}}}. if($eq activity.activityType 'importList') - | {{{_ 'activity-imported' listLabel boardLabel sourceLink}}}. + | {{{_ 'activity-imported' (sanitize listLabel) boardLabelLink sourceLink}}}. if($eq activity.activityType 'removeList') - | {{{_ 'activity-removed' activity.title boardLabel}}}. + | {{{_ 'activity-removed' (sanitize activity.title) boardLabelLink}}}. if($eq activity.activityType 'archivedList') - | {{_ 'activity-archived' listLabel}}. + | {{_ 'activity-archived' (sanitize listLabel)}}. //- member activity ---------------------------------------------------- if($eq activity.activityType 'joinMember') @@ -185,15 +185,15 @@ template(name="activity") //- swimlane activity -------------------------------------------------- if($neq mode 'card') if($eq activity.activityType 'createSwimlane') - | {{{_ 'activity-added' activity.swimlane.title boardLabel}}}. + | {{_ 'activity-added' (sanitize activity.swimlane.title) boardLabelLink}}. if($eq activity.activityType 'archivedSwimlane') - | {{_ 'activity-archived' activity.swimlane.title}}. + | {{_ 'activity-archived' (sanitize activity.swimlane.title)}}. //- I don't understand this part ---------------------------------------- if(currentData.timeKey) - | {{{_ activity.activityType }}} + | {{_ activity.activityType }} = ' ' i(title=currentData.timeValue).activity-meta {{ moment currentData.timeValue 'LLL' }} if (currentData.timeOldValue) @@ -203,6 +203,6 @@ template(name="activity") i(title=currentData.timeOldValue).activity-meta {{ moment currentData.timeOldValue 'LLL' }} = ' @' else if(currentData.timeValue) - | {{{_ activity.activityType currentData.timeValue}}} + | {{_ activity.activityType currentData.timeValue}} span(title=activity.createdAt).activity-meta {{ moment activity.createdAt }} diff --git a/client/components/activities/activities.js b/client/components/activities/activities.js index 5d356f6e..b6635da1 100644 --- a/client/components/activities/activities.js +++ b/client/components/activities/activities.js @@ -1,3 +1,5 @@ +import sanitizeXss from 'xss'; + const activitiesPerPage = 20; BlazeComponent.extendComponent({ @@ -57,7 +59,7 @@ BlazeComponent.extendComponent({ return checkItem && checkItem.title; }, - boardLabel() { + boardLabelLink() { const data = this.currentData(); if (data.mode !== 'board') { return createBoardLink(data.activity.board(), data.activity.listName); @@ -65,10 +67,10 @@ BlazeComponent.extendComponent({ return TAPi18n.__('this-board'); }, - cardLabel() { + cardLabelLink() { const data = this.currentData(); if (data.mode !== 'card') { - return createCardLink(this.currentData().activity.card()); + return createCardLink(data.activity.card()); } return TAPi18n.__('this-card'); }, @@ -134,11 +136,11 @@ BlazeComponent.extendComponent({ { href: source.url, }, - source.system, + sanitizeXss(source.system), ), ); } else { - return source.system; + return sanitizeXss(source.system); } } return null; @@ -162,10 +164,10 @@ BlazeComponent.extendComponent({ href: attachment.url({ download: true }), target: '_blank', }, - attachment.name(), + sanitizeXss(attachment.name()), ), )) || - this.currentData().activity.attachmentName + sanitizeXss(this.currentData().activity.attachmentName) ); }, @@ -202,7 +204,15 @@ BlazeComponent.extendComponent({ }, }).register('activity'); +Template.activity.helpers({ + sanitize(value) { + return sanitizeXss(value); + }, +}); + function createCardLink(card) { + if (!card) + return ''; return ( card && Blaze.toHTML( @@ -211,7 +221,7 @@ function createCardLink(card) { href: card.absoluteUrl(), class: 'action-card', }, - card.title, + sanitizeXss(card.title), ), ) ); @@ -228,7 +238,7 @@ function createBoardLink(board, list) { href: board.absoluteUrl(), class: 'action-board', }, - text, + sanitizeXss(text), ), ) ); diff --git a/client/components/rules/actions/cardActions.jade b/client/components/rules/actions/cardActions.jade index c10c4b2b..469c1c50 100644 --- a/client/components/rules/actions/cardActions.jade +++ b/client/components/rules/actions/cardActions.jade @@ -75,7 +75,7 @@ template(name="cardActions") button.trigger-button.trigger-button-color.js-show-color-palette( id="color-action" class="card-details-{{cardColorButton}}") - | {{{_ cardColorButtonText }}} + | {{{_ cardColorButtonText }}} // XSS?! div.trigger-button.js-set-color-action.js-goto-rules i.fa.fa-plus -- cgit v1.2.3-1-g7c22