Better XSS prevention (NOTE: must run npm install validator on existing installs)

2013-07-02 15:42:26 -04:00 · 2013-07-02 15:42:26 -04:00 · 91a2fcb61d
parent 46b823c60d
commit 91a2fcb61d
6 changed files with 12 additions and 7 deletions
--- a/channel.js
+++ b/channel.js
@ -25,6 +25,7 @@ var Auth = require("./auth.js");
 var ChatCommand = require("./chatcommand.js");
 var Filter = require("./filter.js").Filter;
 var ActionLog = require("./actionlog");
+var sanitize = require("validator").sanitize;

 var Channel = function(name) {
    Logger.syslog.log("Opening channel " + name);
@ -1594,6 +1595,7 @@ Channel.prototype.tryUpdateFilter = function(user, f) {

    var re = f.source;
    var flags = f.flags;
+    f.replace = sanitize(f.replace).xss();
    try {
        new RegExp(re, flags);
    }
@ -1696,6 +1698,7 @@ Channel.prototype.trySetJS = function(user, data) {

 Channel.prototype.updateMotd = function(motd) {
    var html = motd.replace(/\n/g, "<br>");
+    html = sanitize(html).xss();
    //html = this.filterMessage(html);
    this.motd = {
        motd: motd,
@ -1782,8 +1785,7 @@ Channel.prototype.filterMessage = function(msg) {

 Channel.prototype.sendMessage = function(username, msg, msgclass, data) {
    // I don't want HTML from strangers
-    msg = msg.replace(/&/g, "&amp;");
-    msg = msg.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    msg = sanitize(msg).escape();
    msg = this.filterMessage(msg);
    var msgobj = {
        username: username,
--- a/package.json
+++ b/package.json
@ -2,7 +2,7 @@
    "author": "Calvin Montgomery",
    "name": "CyTube",
    "description": "Online media synchronizer and chat",
-    "version": "2.0.1",
+    "version": "2.0.2",
    "repository": {
        "url": "http://github.com/calzoneman/sync"
    },
@ -12,6 +12,7 @@
        "mysql-libmysqlclient": "*",
        "node_hash": "*",
        "bcrypt": "*",
-        "nodemailer": "*"
+        "nodemailer": "*",
+        "validator": "*"
    }
 }
--- a/server.js
+++ b/server.js
@ -9,7 +9,7 @@ The above copyright notice and this permission notice shall be included in all c
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */

-const VERSION = "2.0.1";
+const VERSION = "2.0.2";

 var fs = require("fs");
 var Logger = require("./logger.js");
--- a/www/assets/js/callbacks.js
+++ b/www/assets/js/callbacks.js
@ -106,8 +106,9 @@ Callbacks = {

    setMotd: function(data) {
        CHANNEL.motd = data.html;
+        CHANNEL.motd_text = data.motd;
        $("#motd").html(data.html);
-        $("#motdtext").val(CHANNEL.motd);
+        $("#motdtext").val(CHANNEL.motd_text);
        if(data.motd != "")
            $("#motd").show();
        else
--- a/www/assets/js/data.js
+++ b/www/assets/js/data.js
@ -29,6 +29,7 @@ var CHANNEL = {
    css: "",
    js: "",
    motd: "",
+    motd_text: "",
    name: false
 };

--- a/www/assets/js/util.js
+++ b/www/assets/js/util.js
@ -767,7 +767,7 @@ function handleModPermissions() {
    $("#opt_voteskip_ratio").val(CHANNEL.opts.voteskip_ratio);
    $("#csstext").val(CHANNEL.css);
    $("#jstext").val(CHANNEL.js);
-    $("#motdtext").val(CHANNEL.motd);
+    $("#motdtext").val(CHANNEL.motd_text);
    setVisible("#permedit_tab", CLIENT.rank >= 3);
    setVisible("#banlist_tab", hasPermission("ban"));
    setVisible("#motdedit_tab", hasPermission("motdedit"));