From 4a36967bc1f237c3bbb9a0971a825919cdc95c1e Mon Sep 17 00:00:00 2001 From: mpl Date: Mon, 8 Jul 2013 18:19:39 +0200 Subject: [PATCH] blobinfo: protect against xss from filename http://camlistore.org/issue/173 Change-Id: I0b94578cea671ab3ba330a498f835a6e0bfdfc68 --- server/camlistored/ui/blobinfo.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/server/camlistored/ui/blobinfo.js b/server/camlistored/ui/blobinfo.js index ee8f80a2f..88bb32361 100644 --- a/server/camlistored/ui/blobinfo.js +++ b/server/camlistored/ui/blobinfo.js @@ -113,7 +113,7 @@ function(bmap) { blobmeta.innerHTML = "(not found)"; return; } - blobmeta.innerHTML = JSON.stringify(binfo, null, 2); + blobmeta.innerHTML = htmlEscape(JSON.stringify(binfo, null, 2)); if (binfo.camliType || (binfo.type && binfo.type.indexOf("text/") == 0)) { this.connection_.getBlobContents(blobref, goog.bind(function(data) { @@ -130,7 +130,7 @@ function(bmap) { // That's why we do this messy business here. Fix it server side. finfo = JSON.parse(data); bd.innerHTML = ""; - var fileName = finfo.fileName || blobref; + var fileName = htmlEscape(finfo.fileName) || blobref; bd.firstChild.href = "./download/" + blobref + "/" + fileName; // If the mime type was not detected by magic pkg, we end up // with an empty mimetype value in the indexer's fileinfo, @@ -176,9 +176,13 @@ function(bmap) { } } +function htmlEscape(data) { + return goog.string.htmlEscape(data); +} + function linkifyBlobRefs(schemaBlob) { var re = /(\w{3,6}-[a-f0-9]{30,})/g; - return schemaBlob.replace(re, "$1"); + return htmlEscape(schemaBlob).replace(re, "$1"); }; // Gets the |p| query parameter, assuming that it looks like a blobref.