Merge pull request #89 from yetanalytics/sanitize_value_outputs

sanitize possible html value injections in all value renders
yetanalytics · Feb 16, 2024 · d7f4883 · d7f4883
2 parents 9658210 + 5aa9992
commit d7f4883
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 10 deletions.
diff --git a/deps.edn b/deps.edn
@@ -21,7 +21,7 @@
   tailrecursion/cljs-priority-map {:mvn/version "1.2.1"
                                    :exclusions [org.clojure/clojure
                                                 org.clojure/clojurescript]}
-  hiccup/hiccup {:mvn/version "1.0.5"}
+  hiccup/hiccup {:mvn/version "2.0.0-RC3"}
   hiccups/hiccups {:mvn/version "0.3.0"}}
  :aliases
  {:test-cljs

diff --git a/src/main/com/yetanalytics/lrs/pedestal/routes/statements/html.cljc b/src/main/com/yetanalytics/lrs/pedestal/routes/statements/html.cljc
@@ -1,5 +1,5 @@
 (ns com.yetanalytics.lrs.pedestal.routes.statements.html
-  (:require #?@(:clj [[hiccup.core :as html]
+  (:require #?@(:clj [[hiccup2.core :as html]
                       [clojure.java.io :as io]]
                 :cljs [[hiccups.runtime :as hic]
                        [goog.string :refer [format]]
@@ -118,9 +118,10 @@
           (cs/join "\n"
                    (map
                     (fn [hvec]
-                      (#?(:clj html/html
-                          :cljs hic/render-html)
-                       hvec))
+                      (str
+                       (#?(:clj  html/html
+                           :cljs hic/render-html)
+                        hvec)))
                     hvecs))))
 
 (defn actor-pred
@@ -351,7 +352,7 @@
          :truncate-after-mod -9
          :url-params         params)]
     (if (unwrap? ctx)
-      #?(:clj (html/html statement-rendered)
+      #?(:clj  (str (html/html statement-rendered))
          :cljs (hic/render-html statement-rendered))
       (page head
             [:body
@@ -419,7 +420,7 @@
             (inject-ascending
              path-prefix params))]
     (if (unwrap? ctx)
-      #?(:clj (html/html statement-response-rendered)
+      #?(:clj  (str (html/html statement-response-rendered))
          :cljs (hic/render-html statement-response-rendered))
       (page
        head

diff --git a/src/main/com/yetanalytics/lrs/pedestal/routes/statements/html/json.cljc b/src/main/com/yetanalytics/lrs/pedestal/routes/statements/html/json.cljc
@@ -42,6 +42,16 @@
     (web-link? href)
     (assoc :target "_blank")))1
 
+(defn escaped-html-str
+  "Change special characters into HTML character entities."
+  [text]
+  (.. (str text)
+      (replace "&"  "&amp;")
+      (replace "<"  "&lt;")
+      (replace ">"  "&gt;")
+      (replace "\"" "&quot;")
+      (replace "'"  "&#39;")))
+
 (defn a
   [link text]
   [:a
@@ -65,7 +75,8 @@
   (reduce-kv
    (fn [m k v]
      (let [kw (keyword nil (format "data-%s" (name k)))]
-       (assoc m kw v)))
+       (assoc m kw #?(:clj  v
+                      :cljs (escaped-html-str v)))))
    (empty data)
    data))
 
@@ -153,7 +164,8 @@
                      (sort-by #(get key-weights (first %) 0) >)
                      (map-indexed
                       (fn coerce-kv [idx [k v]]
-                        (let [kn      (name k)
+                        (let [kn      #?(:clj  (name k)
+                                         :cljs (escaped-html-str (name k)))
                               scalar? (and (not (rendered? v))
                                            (or (link-tuple? v)
                                                (not (coll? v))))
@@ -266,4 +278,5 @@
            (if (and (string? json)
                     (linky? json))
              (a json json)
-             (str json))])))))
+             #?(:clj  (str json)
+                :cljs (escaped-html-str json)))])))))