| author | Giulio Cesare Solaroli <giulio.cesare@clipperz.com> | 2014-05-02 15:14:18 (UTC) |
|---|---|---|
| committer | Giulio Cesare Solaroli <giulio.cesare@clipperz.com> | 2014-05-02 15:24:45 (UTC) |
| commit | ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (unidiff) | |
| tree | 80eb0e6ccfc4efa15c6488cc83448d8a865169df | |
| parent | 03659f6b3d9766898854e8a769c0c9341b3de80c (diff) | |
| download | clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2 | |
Fixed issues reported by cure53.de
Fixed issues CLP-01-014 and CLP-01-015
5 files changed, 47 insertions, 11 deletions
diff --git a/frontend/beta/js/Clipperz/Base.js b/frontend/beta/js/Clipperz/Base.js index cf40314..1c6faa1 100644 --- a/frontend/beta/js/Clipperz/Base.js +++ b/frontend/beta/js/Clipperz/Base.js | |||
| @@ -248,2 +248,30 @@ MochiKit.Base.update(Clipperz.Base, { | |||
| 248 | 248 | ||
| 249 | 'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"), | ||
| 250 | |||
| 251 | 'sanitizeUrl': function(aValue) { | ||
| 252 | varresult; | ||
| 253 | |||
| 254 | if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { | ||
| 255 | result = aValue.replace(this.javascriptInjectionPattern, ''); | ||
| 256 | console.log("sanitized url", aValue, result); | ||
| 257 | } else { | ||
| 258 | result = aValue; | ||
| 259 | } | ||
| 260 | |||
| 261 | return result; | ||
| 262 | }, | ||
| 263 | |||
| 264 | 'sanitizeFavicon': function(aValue) { | ||
| 265 | varresult; | ||
| 266 | |||
| 267 | if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { | ||
| 268 | result = aValue.replace(this.javascriptInjectionPattern, ''); | ||
| 269 | console.log("sanitized favicon", aValue, result); | ||
| 270 | } else { | ||
| 271 | result = aValue; | ||
| 272 | } | ||
| 273 | |||
| 274 | return result; | ||
| 275 | }, | ||
| 276 | |||
| 249 | //------------------------------------------------------------------------- | 277 | //------------------------------------------------------------------------- |
diff --git a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js index 2295d3f..369b9ce 100644 --- a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js +++ b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js | |||
| @@ -140,3 +140,3 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, { | |||
| 140 | 140 | ||
| 141 | actionUrl = this.configuration()['form']['attributes']['action']; | 141 | actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']); |
| 142 | //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl); | 142 | //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl); |
diff --git a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js index 0e4640e..a5a4697 100644 --- a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js +++ b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js | |||
| @@ -102,3 +102,3 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C | |||
| 102 | //TODO: remove the value: field and replace it with element.dom.value = <some value> | 102 | //TODO: remove the value: field and replace it with element.dom.value = <some value> |
| 103 | option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()} | 103 | option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())} |
| 104 | if (recordFieldKey == this.directLoginBinding().fieldKey()) { | 104 | if (recordFieldKey == this.directLoginBinding().fieldKey()) { |
| @@ -152,3 +152,3 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C | |||
| 152 | 152 | ||
| 153 | this.getElement('viewValue').update(this.directLoginBinding().field().label()); | 153 | this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label())); |
| 154 | //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode"); | 154 | //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode"); |
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js index c0cfa3c..56d9d59 100644 --- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js +++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js | |||
| @@ -40,3 +40,3 @@ Clipperz.PM.DataModel.DirectLogin = function(args) { | |||
| 40 | this._reference = args.reference || Clipperz.PM.Crypto.randomKey(); | 40 | this._reference = args.reference || Clipperz.PM.Crypto.randomKey(); |
| 41 | this._favicon = args.favicon || null; | 41 | this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null; |
| 42 | this._bookmarkletVersion = args.bookmarkletVersion || "0.1"; | 42 | this._bookmarkletVersion = args.bookmarkletVersion || "0.1"; |
| @@ -104,5 +104,5 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 104 | 104 | ||
| 105 | actionUrl = this.formData()['attributes']['action']; | 105 | actionUrl = this.action(); |
| 106 | hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); | 106 | hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); |
| 107 | this._favicon = "http://" + hostname + "/favicon.ico"; | 107 | this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico"); |
| 108 | } | 108 | } |
| @@ -139,2 +139,10 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 139 | 139 | ||
| 140 | 'action': function () { | ||
| 141 | varresult; | ||
| 142 | |||
| 143 | result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']); | ||
| 144 | |||
| 145 | return result; | ||
| 146 | }, | ||
| 147 | |||
| 140 | //------------------------------------------------------------------------- | 148 | //------------------------------------------------------------------------- |
| @@ -444,3 +452,3 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 444 | formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {'method':this.formData()['attributes']['method'], | 452 | formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {'method':this.formData()['attributes']['method'], |
| 445 | 'action':this.formData()['attributes']['action']})); | 453 | 'action': this.action()})); |
| 446 | //MochiKit.Logging.logDebug("### runDirectLogin - 5"); | 454 | //MochiKit.Logging.logDebug("### runDirectLogin - 5"); |
| @@ -489,5 +497,5 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 489 | // if (/^javascript/.test(this.formData()['attributes']['action'])) { | 497 | // if (/^javascript/.test(this.formData()['attributes']['action'])) { |
| 490 | if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) && | 498 | if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) && |
| 491 | (this.formData()['attributes']['type'] != 'http_auth')) | 499 | (this.formData()['attributes']['type'] != 'http_auth') |
| 492 | { | 500 | ) { |
| 493 | var messageBoxConfiguration; | 501 | var messageBoxConfiguration; |
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js index 236d7c9..ba302da 100644 --- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js +++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js | |||
| @@ -49,3 +49,3 @@ Clipperz.PM.DataModel.DirectLoginReference = function(args) { | |||
| 49 | this._label = args.label; | 49 | this._label = args.label; |
| 50 | this._favicon = args.favicon || null; | 50 | this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null; |
| 51 | 51 | ||