SECURITY FIX: Kiwi is vulnerable to XSS attack due to unsanitised topic text. Issue...

Changes the topic bar from an <input> to a <div contenteditable=true/>.

Also now uses Underscore's escape() method rather than .html().text() jQuery hack.

diff --git a/client/assets/css/style.css b/client/assets/css/style.css
index 0a0c6ae0c245b25da9eca06ed254424e819b8e86..107488389675a57b4c07b3df1b7c0f76e0291980 100644 (file)
--- a/client/assets/css/style.css
+++ b/client/assets/css/style.css
@@ -186,13 +186,15 @@ a img { border:none; }
 
 
 #topic { background-color:#1B1B1B; height:2em; position:relative; }
-#topic input {
+#topic div {
     position:absolute;
     top:2; bottom:2px; left:0; width:100%;
     padding: 0.2em 1em;
     text-align: center;
     box-shadow: none;
     border-radius: 0;
+    background-color:#FFF;
+    height: 1.5em;
 }
 
 

diff --git a/client/assets/dev/view.js b/client/assets/dev/view.js
index 20d8f02f2d6b2e023ac2e2f8f61088ae69ee82aa..07c7f4bbff473043cb842d8baee330aeca6d4431 100644 (file)
--- a/client/assets/dev/view.js
+++ b/client/assets/dev/view.js
@@ -577,7 +577,7 @@ kiwi.view.Tabs = Backbone.View.extend({
 \r
 kiwi.view.TopicBar = Backbone.View.extend({\r
     events: {\r
-        'keydown input': 'process'\r
+        'keydown div': 'process'\r
     },\r
 \r
     initialize: function () {\r
@@ -588,21 +588,22 @@ kiwi.view.TopicBar = Backbone.View.extend({
 \r
     process: function (ev) {\r
         var inp = $(ev.currentTarget),\r
-            inp_val = inp.val();\r
-\r
-        if (ev.keyCode !== 13) return;\r
-\r
+            inp_val = inp.text();\r
+        \r
         if (kiwi.app.panels.active.isChannel()) {\r
+            if (ev.keyCode !== 13) return;\r
+\r
             kiwi.gateway.topic(kiwi.app.panels.active.get('name'), inp_val);\r
         }\r
+        \r
+        return false;\r
     },\r
 \r
     setCurrentTopic: function (new_topic) {\r
         new_topic = new_topic || '';\r
 \r
         // We only want a plain text version\r
-        new_topic = $('<div>').html(formatIRCMsg(new_topic));\r
-        $('input', this.$el).val(new_topic.text());\r
+        $('div', this.$el).html(formatIRCMsg(_.escape(new_topic)));\r
     }\r
 });\r
 \r
@@ -896,7 +897,7 @@ kiwi.view.Application = Backbone.View.extend({
         }\r
 \r
         // If we're typing into an input box somewhere, ignore\r
-        if (ev.target.tagName.toLowerCase() === 'input') {\r
+        if ((ev.target.tagName.toLowerCase() === 'input') || (ev.target.id === 'edittopic')) {\r
             return;\r
         }\r
 \r

diff --git a/client/index.html b/client/index.html
index bd33cc1573ece35c9c803d9ca084108dc8619c58..fccd4ac6db857e32b126f79f2dd35437ea70f19c 100644 (file)
--- a/client/index.html
+++ b/client/index.html
@@ -22,7 +22,7 @@
             </div>
 
             <div id="topic">
-                <input type="text" />
+                <div id="edittopic" contenteditable="true" ></div>
             </div>
 
             <div id="status_message"></div>