fix XSS attack with rubrics

fixes COMMS-1848 OUT-2968 Test Plan: - Login as user, which can create discussion topics. - Create discussion topic with following content: <a class="btn btn-primary rubric_dialog_trigger" data-url="https://test.ddv.in.ua/Instructure.php?">XSS</a> - Save. - Click on the button notice no alert Change-Id: I2f483a16630fc57426ec347f0ee5daffc938744d Reviewed-on: https://gerrit.instructure.com/179487 Tested-by: Jenkins Reviewed-by: Neil Gupta <ngupta@instructure.com> QA-Review: Aaron Hsu <ahsu@instructure.com> Product-Review: Steven Burnett <sburnett@instructure.com>
2019-01-28 10:05:07 -07:00 · 2019-01-28 10:05:07 -07:00 · 22986bb9c9
parent 2328ab322a
commit 22986bb9c9
2 changed files with 25 additions and 2 deletions
--- a/app/coffeescripts/widget/assignmentRubricDialog.js
+++ b/app/coffeescripts/widget/assignmentRubricDialog.js
@ -20,6 +20,7 @@ import $ from 'jquery'
 import htmlEscape from 'str/htmlEscape'
 import 'jqueryui/dialog'
 import 'vendor/jquery.ba-tinypubsub'
+import sanitizeHtml from 'jsx/shared/sanitizeHtml'

 const assignmentRubricDialog = {

@ -65,7 +66,7 @@ const assignmentRubricDialog = {

      // weird hackery because the server returns a <div id="rubrics" style="display:none">
      // as it's root node, so we need to show it before we inject it
-      assignmentRubricDialog.$dialog.html($(html).show())
+      assignmentRubricDialog.$dialog.html($(sanitizeHtml(html)).show())
    })
  },

--- a/spec/coffeescripts/widgets/assignmentRubricDialogSpec.js
+++ b/spec/coffeescripts/widgets/assignmentRubricDialogSpec.js
@ -42,7 +42,16 @@
 import $ from 'jquery'
 import assignmentRubricDialog from 'compiled/widget/assignmentRubricDialog'

-QUnit.module('assignmentRubricDialog')
+QUnit.module('assignmentRubricDialog', {
+  setup() {
+    this.server = sinon.createFakeServer({respondImmediately: true})
+    this.server.respondWith([200, {}, '<img src="x" onerror="alert(document.cookie);">'])
+  },
+
+  teardown() {
+    this.server.restore()
+  }
+})

 test('make sure it picks up the right data attrs', () => {
  const $trigger = $('<div />').addClass('rubric_dialog_trigger')
@ -59,3 +68,16 @@ test('make sure it picks up the right data attrs', () => {

  $('#fixtures').empty()
 })
+
+test('make sure it sanitizes html in dialog', () => {
+  const $trigger = $('<div />').addClass('rubric_dialog_trigger')
+  $trigger.data('noRubricExists', false)
+  $trigger.data('url', '/example')
+  $trigger.data('focusReturnsTo', '.announcement_cog')
+  $('#fixtures').append($trigger)
+
+  assignmentRubricDialog.initDialog()
+
+  equal(assignmentRubricDialog.$dialog.html(), '<img src="x" style="display: inline;">')
+  $('#fixtures').empty()
+})