SECURITY FIX: Kiwi is vulnerable to XSS attack due to unsanitised topic text. Issue...
authorJack Allnutt <m2ys4u@Gmail.com>
Sat, 27 Oct 2012 08:10:31 +0000 (09:10 +0100)
committerDarren <darren@darrenwhitlen.com>
Sat, 27 Oct 2012 12:09:46 +0000 (13:09 +0100)
Changes the topic bar from an <input> to a <div contenteditable=true/>.

Also now uses Underscore's escape() method rather than .html().text() jQuery hack.

client/assets/css/style.css
client/assets/dev/view.js
client/index.html

index a2c71e9661e844d93656558c42d68ba5749091d5..500cec46e28744a0b7e23f0eb41bc9e319ae4c87 100644 (file)
@@ -186,13 +186,15 @@ a img { border:none; }
 
 
 #topic { background-color:#1B1B1B; height:2em; position:relative; }
-#topic input {
+#topic div {
     position:absolute;
     top:2; bottom:2px; left:0; width:100%;
     padding: 0.2em 1em;
     text-align: center;
     box-shadow: none;
     border-radius: 0;
+    background-color:#FFF;
+    height: 1.5em;
 }
 
 
index 838f5f9e09ed0846788ec299a0ec4ee7e3b7d8b9..64889d29cc89b72689bad617d3bdb0bb657cfae2 100644 (file)
@@ -577,7 +577,7 @@ kiwi.view.Tabs = Backbone.View.extend({
 \r
 kiwi.view.TopicBar = Backbone.View.extend({\r
     events: {\r
-        'keydown input': 'process'\r
+        'keydown div': 'process'\r
     },\r
 \r
     initialize: function () {\r
@@ -588,21 +588,22 @@ kiwi.view.TopicBar = Backbone.View.extend({
 \r
     process: function (ev) {\r
         var inp = $(ev.currentTarget),\r
-            inp_val = inp.val();\r
-\r
-        if (ev.keyCode !== 13) return;\r
-\r
+            inp_val = inp.text();\r
+        \r
         if (kiwi.app.panels.active.isChannel()) {\r
+            if (ev.keyCode !== 13) return;\r
+\r
             kiwi.gateway.topic(kiwi.app.panels.active.get('name'), inp_val);\r
         }\r
+        \r
+        return false;\r
     },\r
 \r
     setCurrentTopic: function (new_topic) {\r
         new_topic = new_topic || '';\r
 \r
         // We only want a plain text version\r
-        new_topic = $('<div>').html(formatIRCMsg(new_topic));\r
-        $('input', this.$el).val(new_topic.text());\r
+        $('div', this.$el).html(formatIRCMsg(_.escape(new_topic)));\r
     }\r
 });\r
 \r
@@ -913,7 +914,7 @@ kiwi.view.Application = Backbone.View.extend({
         }\r
 \r
         // If we're typing into an input box somewhere, ignore\r
-        if (ev.target.tagName.toLowerCase() === 'input') {\r
+        if ((ev.target.tagName.toLowerCase() === 'input') || (ev.target.id === 'edittopic')) {\r
             return;\r
         }\r
 \r
index 247d16174ef55535b0fba4142cfd6c7d53d46e60..94a04a2371bdc0e44aa6f9a4c509c1a95320c309 100644 (file)
@@ -28,7 +28,7 @@
             </div>
 
             <div id="topic">
-                <input type="text" />
+                <div id="edittopic" contenteditable="true" ></div>
             </div>
 
             <div id="status_message"></div>