gradebook2: escape html values to prevent xss

Escapes the presentation and capturing of grades in gradebook2 to guard against xss attacks test plan: - as a teacher, edit a grade in the gradebook with "><img src=/ onerror=alert(document.cookie);> - you should not see an alert fixes CNVS-5369 Change-Id: I67a9892ca71db62a2462789b6cf7f28dce47335e Reviewed-on: https://gerrit.instructure.com/19706 QA-Review: Amber Taniuchi <amber@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Simon Williams <simon@instructure.com> Product-Review: Stanley Stuart <stanley@instructure.com>
2013-04-17 16:03:05 -06:00 · 2013-04-17 16:03:05 -06:00 · 2a3124c759
parent b18af81c24
commit 2a3124c759
2 changed files with 38 additions and 3 deletions
--- a/app/coffeescripts/gradebook2/SubmissionCell.coffee
+++ b/app/coffeescripts/gradebook2/SubmissionCell.coffee
@ -1,10 +1,11 @@
 define [
  'compiled/gradebook2/GRADEBOOK_TRANSLATIONS'
+  'str/htmlEscape'
  'jquery'
  'underscore'
  'compiled/gradebook2/Turnitin'
  'jquery.ajaxJSON'
-], (GRADEBOOK_TRANSLATIONS, $, _, {extractData}) ->
+], (GRADEBOOK_TRANSLATIONS, htmlEscape,$, _, {extractData}) ->

  class SubmissionCell

@ -23,7 +24,7 @@ define [
      @$input.focus()

    loadValue: () ->
-      @val = @opts.item[@opts.column.field].grade || ""
+      @val = htmlEscape @opts.item[@opts.column.field].grade || ""
      @$input.val(@val)
      @$input[0].defaultValue = @val
      @$input.select()
@ -32,7 +33,7 @@ define [
      @$input.val()

    applyValue: (item, state) ->
-      item[@opts.column.field].grade = state
+      item[@opts.column.field].grade = htmlEscape state
      @wrapper?.remove()
      @postValue(item, state)
      # TODO: move selection down to the next row, same column
--- a/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee
+++ b/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee
@ -0,0 +1,34 @@
+define [
+  'compiled/gradebook2/SubmissionCell'
+  'str/htmlEscape'
+  'jquery'
+], (SubmissionCell,htmlEscape,$) ->
+
+  dangerousHTML= '"><img src=/ onerror=alert(document.cookie);>'
+  escapedDangerousHTML = htmlEscape dangerousHTML
+
+  module "SubmissionCell",
+    setup: ->
+      @opts =
+        item:
+            'whatever': {}
+        column:
+            field: 'whatever'
+            object: {}
+        container: $('#fixtures')[0]
+      @cell = new SubmissionCell @opts
+    teardown: -> $('#fixtures').empty()
+
+  test "#applyValue escapes html in passed state", ->
+    item = whatever: {grade: '1'}
+    state = dangerousHTML
+    sinon.stub @cell, 'postValue'
+    @cell.applyValue(item,state)
+    equal item.whatever.grade, escapedDangerousHTML
+
+  test "#loadValue escapes html", ->
+    @opts.item.whatever.grade = dangerousHTML
+    @cell.loadValue()
+    equal @cell.$input.val(), escapedDangerousHTML
+    equal @cell.$input[0].defaultValue, escapedDangerousHTML
+