diff options
| author | Micah Lee <micah@micahflee.com> | 2014-07-15 19:13:44 -0700 |
|---|---|---|
| committer | Micah Lee <micah@micahflee.com> | 2014-07-15 19:13:44 -0700 |
| commit | d9aa55b991555d2d2983172a9ac0419c7e4b397e (patch) | |
| tree | 47aac6a18befb0440d5e7e4ae1f665520732db13 | |
| parent | 2edde2eb1f570d1101956165466996247559a455 (diff) | |
| download | onionshare-d9aa55b991555d2d2983172a9ac0419c7e4b397e.tar.gz onionshare-d9aa55b991555d2d2983172a9ac0419c7e4b397e.zip | |
fixed critical XSS bug that can deanonymize user
| -rw-r--r-- | onionshare_gui/static/helpers.js | 49 | ||||
| -rw-r--r-- | onionshare_gui/static/onionshare.js | 2 |
2 files changed, 50 insertions, 1 deletions
diff --git a/onionshare_gui/static/helpers.js b/onionshare_gui/static/helpers.js index 951320ba..8936c3e5 100644 --- a/onionshare_gui/static/helpers.js +++ b/onionshare_gui/static/helpers.js @@ -9,3 +9,52 @@ function human_readable_filesize(bytes, si) { } while(bytes >= thresh); return bytes.toFixed(1)+' '+units[u]; }; + +function htmlspecialchars(string, quote_style, charset, double_encode) { + var optTemp = 0, + i = 0, + noquotes = false; + if (typeof quote_style === 'undefined' || quote_style === null) { + quote_style = 2; + } + string = string.toString(); + if (double_encode !== false) { + // Put this first to avoid double-encoding + string = string.replace(/&/g, '&'); + } + string = string.replace(/</g, '<') + .replace(/>/g, '>'); + + var OPTS = { + 'ENT_NOQUOTES': 0, + 'ENT_HTML_QUOTE_SINGLE': 1, + 'ENT_HTML_QUOTE_DOUBLE': 2, + 'ENT_COMPAT': 2, + 'ENT_QUOTES': 3, + 'ENT_IGNORE': 4 + }; + if (quote_style === 0) { + noquotes = true; + } + if (typeof quote_style !== 'number') { + // Allow for a single string or an array of string flags + quote_style = [].concat(quote_style); + for (i = 0; i < quote_style.length; i++) { + // Resolve string input to bitwise e.g. 'ENT_IGNORE' becomes 4 + if (OPTS[quote_style[i]] === 0) { + noquotes = true; + } else if (OPTS[quote_style[i]]) { + optTemp = optTemp | OPTS[quote_style[i]]; + } + } + quote_style = optTemp; + } + if (quote_style & OPTS.ENT_HTML_QUOTE_SINGLE) { + string = string.replace(/'/g, '''); + } + if (!noquotes) { + string = string.replace(/"/g, '"'); + } + + return string; +} diff --git a/onionshare_gui/static/onionshare.js b/onionshare_gui/static/onionshare.js index 0e13f445..05e796bf 100644 --- a/onionshare_gui/static/onionshare.js +++ b/onionshare_gui/static/onionshare.js @@ -65,7 +65,7 @@ $(function(){ } } else { if(r.path != '/favicon.ico') - update($('<span>').addClass('weblog-error').html(onionshare.strings['other_page_loaded']+': '+r.path)); + update($('<span>').addClass('weblog-error').html(onionshare.strings['other_page_loaded']+': '+htmlspecialchars(r.path))); } } } |