From 91a2fcb61dc7daed8f7c9d027cac35e1bab203e8 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 2 Jul 2013 15:42:26 -0400 Subject: [PATCH] Better XSS prevention (NOTE: must run npm install validator on existing installs) --- channel.js | 6 ++++-- package.json | 5 +++-- server.js | 2 +- www/assets/js/callbacks.js | 3 ++- www/assets/js/data.js | 1 + www/assets/js/util.js | 2 +- 6 files changed, 12 insertions(+), 7 deletions(-) diff --git a/channel.js b/channel.js index 471c73b7..d5ef7023 100644 --- a/channel.js +++ b/channel.js @@ -25,6 +25,7 @@ var Auth = require("./auth.js"); var ChatCommand = require("./chatcommand.js"); var Filter = require("./filter.js").Filter; var ActionLog = require("./actionlog"); +var sanitize = require("validator").sanitize; var Channel = function(name) { Logger.syslog.log("Opening channel " + name); @@ -1594,6 +1595,7 @@ Channel.prototype.tryUpdateFilter = function(user, f) { var re = f.source; var flags = f.flags; + f.replace = sanitize(f.replace).xss(); try { new RegExp(re, flags); } @@ -1696,6 +1698,7 @@ Channel.prototype.trySetJS = function(user, data) { Channel.prototype.updateMotd = function(motd) { var html = motd.replace(/\n/g, "
"); + html = sanitize(html).xss(); //html = this.filterMessage(html); this.motd = { motd: motd, @@ -1782,8 +1785,7 @@ Channel.prototype.filterMessage = function(msg) { Channel.prototype.sendMessage = function(username, msg, msgclass, data) { // I don't want HTML from strangers - msg = msg.replace(/&/g, "&"); - msg = msg.replace(//g, ">"); + msg = sanitize(msg).escape(); msg = this.filterMessage(msg); var msgobj = { username: username, diff --git a/package.json b/package.json index a1a6de1c..25d2455f 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "author": "Calvin Montgomery", "name": "CyTube", "description": "Online media synchronizer and chat", - "version": "2.0.1", + "version": "2.0.2", "repository": { "url": "http://github.com/calzoneman/sync" }, @@ -12,6 +12,7 @@ "mysql-libmysqlclient": "*", "node_hash": "*", "bcrypt": "*", - "nodemailer": "*" + "nodemailer": "*", + "validator": "*" } } diff --git a/server.js b/server.js index c409c99e..167e2da5 100644 --- a/server.js +++ b/server.js @@ -9,7 +9,7 @@ The above copyright notice and this permission notice shall be included in all c THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -const VERSION = "2.0.1"; +const VERSION = "2.0.2"; var fs = require("fs"); var Logger = require("./logger.js"); diff --git a/www/assets/js/callbacks.js b/www/assets/js/callbacks.js index 39f97134..b11e84b0 100644 --- a/www/assets/js/callbacks.js +++ b/www/assets/js/callbacks.js @@ -106,8 +106,9 @@ Callbacks = { setMotd: function(data) { CHANNEL.motd = data.html; + CHANNEL.motd_text = data.motd; $("#motd").html(data.html); - $("#motdtext").val(CHANNEL.motd); + $("#motdtext").val(CHANNEL.motd_text); if(data.motd != "") $("#motd").show(); else diff --git a/www/assets/js/data.js b/www/assets/js/data.js index 53e81708..ac8268a7 100644 --- a/www/assets/js/data.js +++ b/www/assets/js/data.js @@ -29,6 +29,7 @@ var CHANNEL = { css: "", js: "", motd: "", + motd_text: "", name: false }; diff --git a/www/assets/js/util.js b/www/assets/js/util.js index 09d1acf2..f1418c7f 100644 --- a/www/assets/js/util.js +++ b/www/assets/js/util.js @@ -767,7 +767,7 @@ function handleModPermissions() { $("#opt_voteskip_ratio").val(CHANNEL.opts.voteskip_ratio); $("#csstext").val(CHANNEL.css); $("#jstext").val(CHANNEL.js); - $("#motdtext").val(CHANNEL.motd); + $("#motdtext").val(CHANNEL.motd_text); setVisible("#permedit_tab", CLIENT.rank >= 3); setVisible("#banlist_tab", hasPermission("ban")); setVisible("#motdedit_tab", hasPermission("motdedit"));