From a86e450a1a12bdffe9ce6d5c9b09d94df9a32931 Mon Sep 17 00:00:00 2001
From: Jack Allnutt <m2ys4u@Gmail.com>
Date: Sat, 27 Oct 2012 09:10:31 +0100
Subject: [PATCH] SECURITY FIX: Kiwi is vulnerable to XSS attack due to
 unsanitised topic text. Issue #103

Changes the topic bar from an <input> to a <div contenteditable=true/>.

Also now uses Underscore's escape() method rather than .html().text() jQuery hack.
---
 client/assets/css/style.css |  4 +++-
 client/assets/dev/view.js   | 17 +++++++++--------
 client/index.html           |  2 +-
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/client/assets/css/style.css b/client/assets/css/style.css
index 0a0c6ae..1074883 100644
--- a/client/assets/css/style.css
+++ b/client/assets/css/style.css
@@ -186,13 +186,15 @@ a img { border:none; }
 
 
 #topic { background-color:#1B1B1B; height:2em; position:relative; }
-#topic input {
+#topic div {
     position:absolute;
     top:2; bottom:2px; left:0; width:100%;
     padding: 0.2em 1em;
     text-align: center;
     box-shadow: none;
     border-radius: 0;
+    background-color:#FFF;
+    height: 1.5em;
 }
 
 
diff --git a/client/assets/dev/view.js b/client/assets/dev/view.js
index 20d8f02..07c7f4b 100644
--- a/client/assets/dev/view.js
+++ b/client/assets/dev/view.js
@@ -577,7 +577,7 @@ kiwi.view.Tabs = Backbone.View.extend({
 
 kiwi.view.TopicBar = Backbone.View.extend({
     events: {
-        'keydown input': 'process'
+        'keydown div': 'process'
     },
 
     initialize: function () {
@@ -588,21 +588,22 @@ kiwi.view.TopicBar = Backbone.View.extend({
 
     process: function (ev) {
         var inp = $(ev.currentTarget),
-            inp_val = inp.val();
-
-        if (ev.keyCode !== 13) return;
-
+            inp_val = inp.text();
+        
         if (kiwi.app.panels.active.isChannel()) {
+            if (ev.keyCode !== 13) return;
+
             kiwi.gateway.topic(kiwi.app.panels.active.get('name'), inp_val);
         }
+        
+        return false;
     },
 
     setCurrentTopic: function (new_topic) {
         new_topic = new_topic || '';
 
         // We only want a plain text version
-        new_topic = $('<div>').html(formatIRCMsg(new_topic));
-        $('input', this.$el).val(new_topic.text());
+        $('div', this.$el).html(formatIRCMsg(_.escape(new_topic)));
     }
 });
 
@@ -896,7 +897,7 @@ kiwi.view.Application = Backbone.View.extend({
         }
 
         // If we're typing into an input box somewhere, ignore
-        if (ev.target.tagName.toLowerCase() === 'input') {
+        if ((ev.target.tagName.toLowerCase() === 'input') || (ev.target.id === 'edittopic')) {
             return;
         }
 
diff --git a/client/index.html b/client/index.html
index bd33cc1..fccd4ac 100644
--- a/client/index.html
+++ b/client/index.html
@@ -22,7 +22,7 @@
             </div>
 
             <div id="topic">
-                <input type="text" />
+                <div id="edittopic" contenteditable="true" ></div>
             </div>
 
             <div id="status_message"></div>
-- 
2.25.1