allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject allura git commit: [#8255] escape HTML in wiki & blog diff views
Date Fri, 26 Oct 2018 20:16:28 GMT
Repository: allura
Updated Branches:
  refs/heads/db/8255 [created] ab13d4799


[#8255] escape HTML in wiki & blog diff views


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/ab13d479
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/ab13d479
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/ab13d479

Branch: refs/heads/db/8255
Commit: ab13d47993ac631fcce8e02173505ae042c23e9b
Parents: 7e127c7
Author: Dave Brondsema <dave@brondsema.net>
Authored: Fri Oct 26 16:04:28 2018 -0400
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Fri Oct 26 16:16:05 2018 -0400

----------------------------------------------------------------------
 Allura/allura/lib/helpers.py                      | 13 +++++++++----
 ForgeBlog/forgeblog/templates/blog/post_diff.html |  4 ++--
 ForgeBlog/forgeblog/tests/functional/test_root.py |  8 +++++---
 ForgeWiki/forgewiki/templates/wiki/page_diff.html |  4 ++--
 ForgeWiki/forgewiki/tests/functional/test_root.py |  6 +++++-
 5 files changed, 23 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/ab13d479/Allura/allura/lib/helpers.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index 7e13e57..bbf36e4 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -37,6 +37,7 @@ import shlex
 import socket
 from functools import partial
 from cStringIO import StringIO
+import cgi
 
 import tg
 import genshi.template
@@ -476,14 +477,18 @@ def diff_text(t1, t2, differ=None):
     if differ is None:
         differ = difflib.SequenceMatcher(None, t1_words, t2_words)
     result = []
+
+    def escape_list(words_list):
+        return [cgi.escape(words) for words in words_list]
+
     for tag, i1, i2, j1, j2 in differ.get_opcodes():
         if tag in ('delete', 'replace'):
-            result += ['<del>'] + t1_words[i1:i2] + ['</del>']
+            result += ['<del>'] + escape_list(t1_words[i1:i2]) + ['</del>']
         if tag in ('insert', 'replace'):
-            result += ['<ins>'] + t2_words[j1:j2] + ['</ins>']
+            result += ['<ins>'] + escape_list(t2_words[j1:j2]) + ['</ins>']
         if tag == 'equal':
-            result += t1_words[i1:i2]
-    return ' '.join(result).replace('\n', '<br/>\n')
+            result += escape_list(t1_words[i1:i2])
+    return Markup(' '.join(result).replace('\n', '<br/>\n'))
 
 
 def gen_message_id(_id=None):

http://git-wip-us.apache.org/repos/asf/allura/blob/ab13d479/ForgeBlog/forgeblog/templates/blog/post_diff.html
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/templates/blog/post_diff.html b/ForgeBlog/forgeblog/templates/blog/post_diff.html
index bfe0199..4b391ae 100644
--- a/ForgeBlog/forgeblog/templates/blog/post_diff.html
+++ b/ForgeBlog/forgeblog/templates/blog/post_diff.html
@@ -35,7 +35,7 @@
           <p>Comparing <a href=".?version={{p1.version}}">Version {{p1.version}}</a>
             with <a href=".?version={{p2.version}}">Version {{p2.version}}</a></p>
           <hr/>
-          <div style="font-family: fixed">
-            {{edits|safe}}
+          <div style="font-family: monospace; padding: 10px;">
+            {{edits}}
           </div>
 {% endblock %}

http://git-wip-us.apache.org/repos/asf/allura/blob/ab13d479/ForgeBlog/forgeblog/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/tests/functional/test_root.py b/ForgeBlog/forgeblog/tests/functional/test_root.py
index 972aa1a..26c5149 100644
--- a/ForgeBlog/forgeblog/tests/functional/test_root.py
+++ b/ForgeBlog/forgeblog/tests/functional/test_root.py
@@ -224,11 +224,13 @@ class Test(TestController):
     def test_post_diff(self):
         self._post()
         d = self._blog_date()
-        self._post('/%s/my-post' % d, text='sometext')
+        self._post('/%s/my-post' % d, text='sometext\n<script>alert(1)</script>')
         self.app.post('/blog/%s/my-post/revert' % d, params=dict(version='1'))
-        response = self.app.get('/blog/%s/my-post/' % d)
-        response = self.app.get('/blog/%s/my-post/diff?v1=0&v2=0' % d)
+        response = self.app.get('/blog/%s/my-post/diff?v2=2&v1=1' % d)
         assert 'My Post' in response
+        assert '<del> Nothing to see here </del> <ins> sometext </ins>'
in response
+        assert '<script>alert' not in response
+        assert '<ins> &lt;script&gt;alert' in response
 
     def test_invalid_lookup(self):
         r = self.app.get('/blog/favicon.ico', status=404)

http://git-wip-us.apache.org/repos/asf/allura/blob/ab13d479/ForgeWiki/forgewiki/templates/wiki/page_diff.html
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/templates/wiki/page_diff.html b/ForgeWiki/forgewiki/templates/wiki/page_diff.html
index dd98802..ea4585d 100644
--- a/ForgeWiki/forgewiki/templates/wiki/page_diff.html
+++ b/ForgeWiki/forgewiki/templates/wiki/page_diff.html
@@ -35,7 +35,7 @@
 <p>Comparing <a href=".?version={{p1.version}}">Version {{p1.version}}</a>
   with <a href=".?version={{p2.version}}">Version {{p2.version}}</a></p>
 <hr/>
-<div style="font-family: fixed-width, monospace; padding: 10px;">
-  {{h.html.literal(edits)}}
+<div style="font-family: monospace; padding: 10px;">
+  {{edits}}
 </div>
 {% endblock %}

http://git-wip-us.apache.org/repos/asf/allura/blob/ab13d479/ForgeWiki/forgewiki/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/tests/functional/test_root.py b/ForgeWiki/forgewiki/tests/functional/test_root.py
index 8781406..6ee5d32 100644
--- a/ForgeWiki/forgewiki/tests/functional/test_root.py
+++ b/ForgeWiki/forgewiki/tests/functional/test_root.py
@@ -338,12 +338,16 @@ class TestRootController(TestController):
 
                                             Now hit your wiki a few times from a browser.
Initially, it will be dead slow, as it is trying to build thumbnails for the images. And it
will time out, a lot. Keep hitting reload, until it works.
 
-                                            **Note:** The logo shown in the sidebar is no
longer stored as an object in the wiki (as it was in the Hosted App installation). Rather
save it as a regular file, then edit LocalSettings.php, adding""")
+                                            **Note:** The logo shown in the sidebar is no
longer stored as an object in the wiki (as it was in the Hosted App installation). Rather
save it as a regular file, then edit LocalSettings.php, adding
+                                            
+                                            <script>alert(1)</script>""")
         self.app.post('/wiki/testdiff/update', params=d)
         response = self.app.get('/wiki/testdiff/diff?v1=1&v2=2')
         assert_in('# Now fix <del> permissons. </del> <ins> permissions.
</ins> '
                   'Wrong permissions may cause <ins> a </ins> massive slowdown!',
                   response)
+        assert_not_in('<script>alert', response)
+        assert_in('&lt;script&gt;alert', response)
         response = self.app.get('/wiki/testdiff/diff?v1=2&v2=1')
         assert_in('# Now fix <del> permissions. </del> <ins> permissons.
</ins> '
                   'Wrong permissions may cause <del> a </del> massive slowdown!',


Mime
View raw message