From d2c54356934315b2428c7352284d7f5ddd431099 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 1 Dec 2014 13:18:02 +0100 Subject: [PATCH 1/2] Add "dojox/html" as dependency "dojox/html/entities" will be used to sanitize the strings. --- programs/editor/dojo-deps/profiles/app.profile.js | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/editor/dojo-deps/profiles/app.profile.js b/programs/editor/dojo-deps/profiles/app.profile.js index 5edd71214..210674e9e 100644 --- a/programs/editor/dojo-deps/profiles/app.profile.js +++ b/programs/editor/dojo-deps/profiles/app.profile.js @@ -71,6 +71,7 @@ var profile = { "dojo/dom-construct", "dojo/_base/NodeList", "dojo/_base/browser", + "dojox/html/entities", 'dijit/layout/BorderContainer', 'dijit/layout/ContentPane', 'dojox/layout/ExpandoPane', From 28c407940c2a2bfae150c374d5445f71349e3db2 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 1 Dec 2014 13:25:40 +0100 Subject: [PATCH 2/2] Sanitize paragraph and font names --- ChangeLog.md | 2 +- programs/editor/widgets/fontPicker.js | 9 +++++---- programs/editor/widgets/paragraphStyles.js | 9 +++++---- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index a046a6978..4df6f6d2c 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -10,7 +10,7 @@ See also section about WebODF ### Fixes * Fix wrongly enabled hyperlink tools with no document loaded ([#833](https://github.com/kogmbh/WebODF/pull/833)) - +* Prevent Cross-Site Scripting from style names and font names ([#849](https://github.com/kogmbh/WebODF/pull/849))) # Changes between 0.5.3 and 0.5.4 diff --git a/programs/editor/widgets/fontPicker.js b/programs/editor/widgets/fontPicker.js index fd3e60629..27758a755 100644 --- a/programs/editor/widgets/fontPicker.js +++ b/programs/editor/widgets/fontPicker.js @@ -23,9 +23,10 @@ */ /*global define,require,document */ define("webodf/editor/widgets/fontPicker", [ - "dijit/form/Select"], + "dijit/form/Select", + "dojox/html/entities"], - function (Select) { + function (Select, htmlEntities) { "use strict"; /** @@ -91,7 +92,7 @@ define("webodf/editor/widgets/fontPicker", [ name = documentFonts[i].name; family = documentFonts[i].family || name; selectionList.push({ - label: '' + name + '', + label: '' + htmlEntities.encode(name)+ '', value: name }); } @@ -104,7 +105,7 @@ define("webodf/editor/widgets/fontPicker", [ // Lastly populate the fonts provided by the editor for (i = 0; i < editorFonts.length; i += 1) { selectionList.push({ - label: '' + editorFonts[i] + '', + label: '' + htmlEntities.encode(editorFonts[i]) + '', value: editorFonts[i] }); } diff --git a/programs/editor/widgets/paragraphStyles.js b/programs/editor/widgets/paragraphStyles.js index 595693142..a8e5a1a7e 100644 --- a/programs/editor/widgets/paragraphStyles.js +++ b/programs/editor/widgets/paragraphStyles.js @@ -26,9 +26,10 @@ define("webodf/editor/widgets/paragraphStyles", [ "dijit/form/Select", + "dojox/html/entities", "webodf/editor/EditorSession"], - function (Select, EditorSession) { + function (Select, htmlEntities, EditorSession) { "use strict" /** @@ -83,7 +84,7 @@ define("webodf/editor/widgets/paragraphStyles", [ for (i = 0; i < availableStyles.length; i += 1) { selectionList.push({ - label: availableStyles[i].displayName || availableStyles[i].name, + label: htmlEntities.encode(availableStyles[i].displayName) || htmlEntities.encode(availableStyles[i].name), value: availableStyles[i].name }); } @@ -102,8 +103,8 @@ define("webodf/editor/widgets/paragraphStyles", [ newStyleElement = editorSession.getParagraphStyleElement(styleInfo.name); select.addOption({ - value: styleInfo.name, - label: newStyleElement.getAttributeNS(stylens, 'display-name') + label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name')), + value: styleInfo.name }); if (self.onAdd) {