From 2a3124c759c391d488fcfc5c2a8d34513513aab7 Mon Sep 17 00:00:00 2001
From: Stanley Stuart <stanley@instructure.com>
Date: Wed, 17 Apr 2013 16:03:05 -0600
Subject: [PATCH] gradebook2: escape html values to prevent xss

Escapes the presentation and capturing of grades in gradebook2 to guard
against xss attacks

test plan:
  - as a teacher, edit a grade in the gradebook with
    "><img src=/ onerror=alert(document.cookie);>
  - you should not see an alert

fixes CNVS-5369

Change-Id: I67a9892ca71db62a2462789b6cf7f28dce47335e
Reviewed-on: https://gerrit.instructure.com/19706
QA-Review: Amber Taniuchi <amber@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Stanley Stuart <stanley@instructure.com>
---
 .../gradebook2/SubmissionCell.coffee          |  7 ++--
 .../gradebook2/SubmissionCellSpec.coffee      | 34 +++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee

diff --git a/app/coffeescripts/gradebook2/SubmissionCell.coffee b/app/coffeescripts/gradebook2/SubmissionCell.coffee
index f87822d3e78..26c528ecb0f 100644
--- a/app/coffeescripts/gradebook2/SubmissionCell.coffee
+++ b/app/coffeescripts/gradebook2/SubmissionCell.coffee
@@ -1,10 +1,11 @@
 define [
   'compiled/gradebook2/GRADEBOOK_TRANSLATIONS'
+  'str/htmlEscape'
   'jquery'
   'underscore'
   'compiled/gradebook2/Turnitin'
   'jquery.ajaxJSON'
-], (GRADEBOOK_TRANSLATIONS, $, _, {extractData}) ->
+], (GRADEBOOK_TRANSLATIONS, htmlEscape,$, _, {extractData}) ->
 
   class SubmissionCell
 
@@ -23,7 +24,7 @@ define [
       @$input.focus()
 
     loadValue: () ->
-      @val = @opts.item[@opts.column.field].grade || ""
+      @val = htmlEscape @opts.item[@opts.column.field].grade || ""
       @$input.val(@val)
       @$input[0].defaultValue = @val
       @$input.select()
@@ -32,7 +33,7 @@ define [
       @$input.val()
 
     applyValue: (item, state) ->
-      item[@opts.column.field].grade = state
+      item[@opts.column.field].grade = htmlEscape state
       @wrapper?.remove()
       @postValue(item, state)
       # TODO: move selection down to the next row, same column
diff --git a/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee b/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee
new file mode 100644
index 00000000000..20050bbf925
--- /dev/null
+++ b/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee
@@ -0,0 +1,34 @@
+define [
+  'compiled/gradebook2/SubmissionCell'
+  'str/htmlEscape'
+  'jquery'
+], (SubmissionCell,htmlEscape,$) ->
+
+  dangerousHTML= '"><img src=/ onerror=alert(document.cookie);>'
+  escapedDangerousHTML = htmlEscape dangerousHTML
+
+  module "SubmissionCell",
+    setup: ->
+      @opts =
+        item:
+            'whatever': {}
+        column:
+            field: 'whatever'
+            object: {}
+        container: $('#fixtures')[0]
+      @cell = new SubmissionCell @opts
+    teardown: -> $('#fixtures').empty()
+
+  test "#applyValue escapes html in passed state", ->
+    item = whatever: {grade: '1'}
+    state = dangerousHTML
+    sinon.stub @cell, 'postValue'
+    @cell.applyValue(item,state)
+    equal item.whatever.grade, escapedDangerousHTML
+
+  test "#loadValue escapes html", ->
+    @opts.item.whatever.grade = dangerousHTML
+    @cell.loadValue()
+    equal @cell.$input.val(), escapedDangerousHTML
+    equal @cell.$input[0].defaultValue, escapedDangerousHTML
+