Fix Cross-Site-Scripting Vulnerability (#2034)

This patch fixes a cross-site-scripting vulnerability in Greenlight which allowed users to inject code into Greenlight by adding scripts into their names. Co-authored-by: Ahmad Farhat <ahmad.af.farhat@gmail.com>
2020-08-24 20:32:14 +02:00
parent e5340d2a7a
commit 503ca52806
1 changed files with 15 additions and 6 deletions
--- a/app/assets/javascripts/room.js
+++ b/app/assets/javascripts/room.js
@@ -122,11 +122,20 @@ $(document).on('turbolinks:load', function(){
        listItem.setAttribute('class', 'list-group-item text-left not-saved add-access');
        listItem.setAttribute("data-uid", uid)
-        let spanItem = "<span class='avatar float-left mr-2'>" + option.text().charAt(0) + "</span> <span class='shared-user'>" +
+        let spanItemAvatar = document.createElement("span"),
-          option.text() + " <span class='text-muted'>" + option.data("subtext") + "</span></span>" +
+            spanItemName = document.createElement("span"),
-          "<span class='text-primary float-right shared-user cursor-pointer' onclick='removeSharedUser(this)'><i class='fas fa-times'></i></span>"
+            spanItemUser = document.createElement("span");
        spanItemAvatar.setAttribute('class', 'avatar float-left mr-2');
        spanItemAvatar.innerText = option.text().charAt(0);
        spanItemName.setAttribute('class', 'shared-user');
        spanItemName.innerText = option.text();
        spanItemUser.setAttribute('class', 'text-muted');
        spanItemUser.innerText = option.data('subtext');
        spanItemName.append(spanItemUser);
-        listItem.innerHTML = spanItem
+        listItem.innerHTML = "<span class='text-primary float-right shared-user cursor-pointer' onclick='removeSharedUser(this)'><i class='fas fa-times'></i></span>"
        listItem.prepend(spanItemName);
        listItem.prepend(spanItemAvatar);
        $("#user-list").append(listItem)
      }