Merge pull request cliftonc#196 from arosboro/issue#102_xss

Include sanitizer project for filtering of xss vulnerabilities
coderedhead · Apr 18, 2013 · ff189b3 · ff189b3
2 parents 220159e + 73e3ee0
commit ff189b3
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/modules/core/content/content.js b/modules/core/content/content.js
@@ -8,6 +8,7 @@ var rootpath = process.cwd() + '/',
   calipso = require(path.join(rootpath, 'lib/calipso')),
   Query = require("mongoose").Query,
   utils = require('connect').utils,
+	sanitizer = require('sanitizer'),
   merge = utils.merge;
 
 exports = module.exports = {
@@ -186,10 +187,18 @@ function getContent(req, options, next) {
           text = "<span title='" + req.t("Double click to edit content block ...") + "' class='content-block' id='" + c._id + "'>" +
             text + "</span>";
         }
+				text = sanitizer.sanitize(text);
 
         next(null, text);
 
       } else {
+				// Sanitize strings
+				var prop;
+				for (var prop in c) {
+					if (typeof c[prop] === 'string') {
+						c[prop] = sanitizer.sanitize(c[prop]);
+					}
+				}
 
         // Just return the object
         next(null, c);
@@ -1028,4 +1037,4 @@ function install(next) {
 function scheduledPublish(args, next) {
   calipso.info("Scheduled publish: " + args);
   next();
-}
+}
diff --git a/modules/core/user/user.js b/modules/core/user/user.js
@@ -5,6 +5,7 @@ var rootpath = process.cwd() + '/',
   path = require('path'),
   calipso = require(path.join(rootpath, 'lib/calipso')),
   roles = require('./user.roles'),
+	sanitizer = require('sanitizer'),
   Query = require("mongoose").Query,
   everyauth = require("everyauth");
 
@@ -959,6 +960,14 @@ function userProfile(req, res, template, block, next) {
       return;
     }
 
+		// Sanitize user object
+		var prop;
+		for (var prop in u) {
+			if (typeof u[prop] === 'string') {
+				u[prop] = sanitizer.sanitize(u[prop]);
+			}
+		}
+
     if (req.session.user && req.session.user.isAdmin) {
       res.menu.adminToolbar.addMenuItem(req, {name:'List', weight:2, path:'list', url:'/user/list', description:'List users ...', security:[], icon:"icon-list-3"});
       res.menu.adminToolbar.addMenuItem(req, {name:'Edit', weight:1, path:'edit', url:'/user/profile/' + username + '/edit', description:'Edit user details ...', security:[], icon:"icon-pencil-2"});

diff --git a/package.json b/package.json
@@ -53,7 +53,8 @@
         "everyauth":"0.3.x",
         "adm-zip":"0.1.x",
         "node-xml":"1.0.x",
-        "knox":"0.0.x"
+        "knox":"0.0.x",
+				"sanitizer":"0.0.15"
     },
     "optionalDependencies":{
         "bcrypt":"0.7.x",