prevent XSS in user management views

2014-09-09 20:32:57 +02:00 · 2014-09-09 20:32:57 +02:00 · 80f7f61649
parent d86efb649b
commit 80f7f61649
4 changed files with 13 additions and 14 deletions
--- a/js/apps/system/aardvark/frontend/js/templates/userBarView.ejs
+++ b/js/apps/system/aardvark/frontend/js/templates/userBarView.ejs
@ -9,9 +9,9 @@
      <li class="dropdown-header" style="text-transform: none">
        <%
        if (name) {%>
-        <%=name%> (<%=username%>)
+        <%=_.escape(name)%> (<%=_.escape(username)%>)
        <% } else {%>
-        <%=username%>
+        <%=_.escape(username)%>
        <% } %>
      <li class="dropdown-item">
        <a id="userProfile" class="tab" href="#user">User profile</a>
--- a/js/apps/system/aardvark/frontend/js/templates/userManagementView.ejs
+++ b/js/apps/system/aardvark/frontend/js/templates/userManagementView.ejs
@ -69,7 +69,7 @@
                active = user.get("active"),
                avatar = '<img src="';

-              if (!img) {
+              if (! img) {
                avatar += 'img/arangodblogoAvatar_50.png';
              } else {
                avatar += 'https://s.gravatar.com/avatar/';
@ -77,16 +77,16 @@
                avatar += '?s=50';
              }
              avatar += '" height="50" width="50" alt="" class="icon" id="';
-              avatar += username;
+              avatar += _.escape(username);
              avatar += '" />';
-              if (!name) {
+              if (! name) {
                name = " ";
              }
      %>

      <div class="tile">
        <div class="iconSet">
-          <span class="icon_arangodb_settings2 editUser" id="<%=username %>_edit-user" alt="Edit user" title="Edit user"></span>
+          <span class="icon_arangodb_settings2 editUser" id="<%=_.escape(username) %>_edit-user" alt="Edit user" title="Edit user"></span>
        </div>
        <%=avatar %>
        <div class="tileBadge">
@ -103,7 +103,7 @@
          </span>
        </div>

-        <h5 class="collectionName"><%=username %> <% if (name !== ' ') { %>(<%=name %>)<%}%></h5>
+        <h5 class="collectionName"><%=_.escape(username) %> <% if (name !== ' ') { %>(<%=_.escape(name) %>)<%}%></h5>
      </div>
      <%});%>
     </div>
--- a/js/apps/system/aardvark/frontend/js/views/userBarView.js
+++ b/js/apps/system/aardvark/frontend/js/views/userBarView.js
@ -66,12 +66,13 @@
        img = currentUser.get("extra").img;
        active = currentUser.get("active");
      }
-      if (!img) {
+      if (! img) {
        img = "img/arangodblogoAvatar_24.png";
-      } else {
+      } 
+      else {
        img = "https://s.gravatar.com/avatar/" + img + "?s=24";
      }
-      if (!name) {
+      if (! name) {
        name = "";
      }

--- a/js/apps/system/aardvark/frontend/js/views/userManagementView.js
+++ b/js/apps/system/aardvark/frontend/js/views/userManagementView.js
@ -10,7 +10,6 @@
    el: '#content',
    el2: '#userManagementThumbnailsIn',

-
    template: templateEngine.createTemplate("userManagementView.ejs"),

    events: {
@ -405,7 +404,7 @@
        {
          type: window.modalView.tables.READONLY,
          label: "Username",
-          value: username
+          value: _.escape(username)
        },
        {
          type: window.modalView.tables.TEXT,
@ -434,7 +433,7 @@
          callback: this.submitEditUser.bind(this, username)
        }
      ];
-        window.modalView.show("modalTable.ejs", "Edit User", buttons, tableContent);
+      window.modalView.show("modalTable.ejs", "Edit User", buttons, tableContent);
    },

    createCreateUserModal: function() {
@ -555,6 +554,5 @@
      window.modalView.show("modalTable.ejs", "Edit User Password", buttons, tableContent);
    }

-
  });
 }());