Skip to content
This repository has been archived by the owner on Oct 2, 2023. It is now read-only.

Commit

Permalink
fix: pentest issues (#65)
Browse files Browse the repository at this point in the history 
* prevent xss

explicitly mark safe strings not to be encoded via Handlebars.SafeString

* format
  • Loading branch information
@jsedlacek
jsedlacek authored May 10, 2022
1 parent a7d9d39 commit fdf3f5e
Show file tree
Hide file tree
Showing 21 changed files with 173 additions and 95 deletions.
4 changes: 4 additions & 0 deletions .prettierrc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"singleQuote": true,
"trailingComma": "none"
}
5 changes: 4 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,7 @@ test:
publish: test clean dist
yarn semantic-release

.PHONY: clean storybook test publish
format:
yarn prettier --write "**/*.{ts,js,json}"

.PHONY: clean storybook test publish format
1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
"express": "^4.17.1",
"handlebars-loader": "^1.7.1",
"mocha": "6.2.2",
"prettier": "^2.6.2",
"semantic-release": "^17.2.3",
"ts-loader": "^6.2.1",
"typescript": "^2.8.1",
Expand Down
6 changes: 4 additions & 2 deletions src/base.ts
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import { SafeString } from 'handlebars';

export interface Colors {
primary: string;
foreground: string;
Expand Down Expand Up @@ -30,8 +32,8 @@ export interface EmojiRating {
}

export interface BaseTemplateOptions {
intro: string;
outro: string;
intro: string | SafeString;
outro: string | SafeString;
question: string;
colors: Colors;
direction: string;
Expand Down
2 changes: 1 addition & 1 deletion src/partials/bot-honeypot-link.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<td class="" style="vertical-align:top;width:0px;">
<![endif]-->
<div style="display:none;">
<a href="{{{url}}}" target="_blank" rel="nofollow" style="font-size:0px;color:#f0f0f0;text-decoration:none;"> </a>
<a href="{{url}}" target="_blank" rel="nofollow" style="font-size:0px;color:#f0f0f0;text-decoration:none;"> </a>
</div>
<!--[if mso | IE]>
</td>
Expand Down
2 changes: 1 addition & 1 deletion src/partials/choice-list.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;width:100%;line-height:100%;">
<tr>
<td align="center" bgcolor="{{../colors.primary}}" role="presentation" style="border:none;border-radius:3px;cursor:auto;height:40px;mso-padding-alt:0px;background:{{../colors.primary}};"
valign="middle"> <a {{#if url}} href="{{{url}}}" {{/if}} style="display:block;background:{{../colors.primary}};color:{{../colors.background}};font-family:arial, helvetica, sans-serif;font-size:14px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 0px;mso-padding-alt:0px;border-radius:3px;"
valign="middle"> <a {{#if url}} href="{{url}}" {{/if}} style="display:block;background:{{../colors.primary}};color:{{../colors.background}};font-family:arial, helvetica, sans-serif;font-size:14px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 0px;mso-padding-alt:0px;border-radius:3px;"
target="_blank">
{{label}}
</a> </td>
Expand Down
2 changes: 1 addition & 1 deletion src/partials/long-text.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
<tbody>
<tr>
<td style="vertical-align:top;padding:1px 2px;">
<a {{#if surveyUrl}} href="{{{surveyUrl}}}" {{/if}} style="background:{{colors.primary}};color:{{colors.background}};padding: 8px 14px;cursor: pointer;display: inline-block;font-size: 15px;border: none;border-radius: 0px;min-width: 100px;width: initial;margin: initial;zoom: 1;line-height: normal;white-space: nowrap;vertical-align: baseline;text-align: center;user-select: none;font-family:arial, helvetica, sans-serif;text-decoration: none;"
<a {{#if surveyUrl}} href="{{surveyUrl}}" {{/if}} style="background:{{colors.primary}};color:{{colors.background}};padding: 8px 14px;cursor: pointer;display: inline-block;font-size: 15px;border: none;border-radius: 0px;min-width: 100px;width: initial;margin: initial;zoom: 1;line-height: normal;white-space: nowrap;vertical-align: baseline;text-align: center;user-select: none;font-family:arial, helvetica, sans-serif;text-decoration: none;"
target="_blank">{{submit}}</a>
</td>
</tr>
Expand Down
2 changes: 1 addition & 1 deletion src/partials/number-scale.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@
<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;width:100%;line-height:100%;">
<tr>
<td align="center" bgcolor="{{../colors.primary}}" role="presentation" style="border:none;border-radius:3px;cursor:auto;height:40px;mso-padding-alt:0px;background:{{../colors.primary}};"
valign="middle"> <a {{#if url}} href="{{{url}}}" {{/if}} style="display:block;background:{{../colors.primary}};color:{{../colors.background}};font-family:arial, helvetica, sans-serif;font-size:14px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 0px;mso-padding-alt:0px;border-radius:3px;"
valign="middle"> <a {{#if url}} href="{{url}}" {{/if}} style="display:block;background:{{../colors.primary}};color:{{../colors.background}};font-family:arial, helvetica, sans-serif;font-size:14px;font-weight:normal;line-height:120%;margin:0;text-decoration:none;text-transform:none;padding:10px 0px;mso-padding-alt:0px;border-radius:3px;"
target="_blank">
{{rating}}
</a> </td>
Expand Down
2 changes: 1 addition & 1 deletion src/partials/paragraph.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="vertical-align:top;" width="100%">
<tr>
<td align="left" style="font-size:0px;padding:0px 2px;word-break:break-word;">
<div style="font-family:arial, helvetica, sans-serif;font-size:15px;line-height:150%;text-align:{{left}};color:#454545;">{{{text}}}</div>
<div style="font-family:arial, helvetica, sans-serif;font-size:15px;line-height:150%;text-align:{{left}};color:#454545;">{{text}}</div>
</td>
</tr>
</table>
Expand Down
2 changes: 1 addition & 1 deletion src/partials/smiley.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@
<table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:separate;width:100%;line-height:100%;">
<tr>
<td align="center" bgcolor="{{../colors.primary}}" role="presentation" style="border:none;border-radius:3px;cursor:auto;height:40px;mso-padding-alt:0px;background:{{../colors.primary}};"
valign="middle"> <a {{#if url}} href="{{{url}}}" {{else}} sm-preview-value="{{value}}" {{/if}} style="display:block;background:{{../colors.primary}};color:{{../colors.background}};font-family:arial, helvetica, sans-serif;font-size:14px;font-weight:normal;line-height:1;margin:0;text-decoration:none;text-transform:none;padding:10px;mso-padding-alt:0px;border-radius:3px;"
valign="middle"> <a {{#if url}} href="{{url}}" {{else}} sm-preview-value="{{value}}" {{/if}} style="display:block;background:{{../colors.primary}};color:{{../colors.background}};font-family:arial, helvetica, sans-serif;font-size:14px;font-weight:normal;line-height:1;margin:0;text-decoration:none;text-transform:none;padding:10px;mso-padding-alt:0px;border-radius:3px;"
target="_blank">
<div style="width:36px;height:auto;border-radius: 50%;filter: drop-shadow(rgba(51, 51, 51, 0.5) 0px 0px 3px);">
<img src="{{imageUrl}}" alt="{{emoji}}" width="36" height="auto" />
Expand Down
6 changes: 3 additions & 3 deletions src/templates/inline.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@
{{> bot-honeypot-link url=botHoneypotUrl}}
{{/if}}
<div class="ee_editable ee_element">
{{{intro}}}
{{intro}}
<p style="margin: 0px; line-height: 150%; font-family: arial, helvetica, sans-serif; text-align: {{left}}; font-size: 15px; color: rgb(69, 69, 69);">{{question}}</p>
</div>
<table class="ee_element ee_borders eeb_width" cellpadding="0" cellspacing="0" data-eewidth="530" style="table-layout: auto; width: 530px;">
Expand Down Expand Up @@ -303,7 +303,7 @@
<td class="ee_pad" style="width: auto; padding: 0px;">
<div class="ee_editable eev_element" style="width: 43px;">
<p style="margin: 0px; text-align: center; font-family: arial, helvetica, sans-serif; color: rgb(255, 255, 255); font-size: 14px;">
<b><a {{#if url}} href="{{{url}}}" {{/if}} style="display:block; line-height: 100%; color: {{../colors.background}}; text-decoration: none; border: 12px solid {{../colors.primary}};">{{rating}}</a></b>
<b><a {{#if url}} href="{{url}}" {{/if}} style="display:block; line-height: 100%; color: {{../colors.background}}; text-decoration: none; border: 12px solid {{../colors.primary}};">{{rating}}</a></b>
</p>
</div>
</td>
Expand Down Expand Up @@ -355,5 +355,5 @@
</tbody>
</table>
<div class="ee_editable ee_element">
{{{outro}}}
{{outro}}
</div>
6 changes: 3 additions & 3 deletions src/templates/survey.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ table.ee_mobiletemplate { table-layout: fixed !important; }
<tbody>
<tr>
<td width="100%" valign="top" class="ee_dropzone ved-scaled-cols" align="{{left}}" style="width: 530px; padding-top: 0px;padding-{{right}}: 0px;padding-bottom: 0px;padding-{{left}}: 0px;"><div class="ee_editable ee_element">
{{{intro}}}
{{intro}}
<p style="margin: 0px; line-height: 150%; font-family: arial, helvetica, sans-serif; text-align: {{left}}; font-size: 15px; color: rgb(69, 69, 69);">{{question}}</p>
</div>
<table class="ee_element ee_borders eeb_width" cellpadding="0" cellspacing="0" data-eewidth="530" style="table-layout: auto; width: 530px; border-spacing: 0;"><tbody><tr><td class="ee_pad" style="padding-top: 15px; padding-bottom: 25px; width: auto;"><table width="100%" border="0" cellspacing="0" cellpadding="0" class="ee_columns eev_element" style="width: 530px; position: relative; table-layout: auto; border-spacing: 0;" data-eewidth="530">
Expand All @@ -79,7 +79,7 @@ table.ee_mobiletemplate { table-layout: fixed !important; }
<tr>
<td class="ee_pad" style="width: auto; padding: 0px;"><div class="ee_editable eev_element" style="width: 43px;">
<p style="margin: 0px; text-align: center; font-family: arial, helvetica, sans-serif; color: rgb(255, 255, 255); font-size: 14px;">
<b><a {{#if url}} href="{{{url}}}" {{/if}} style="display:block; line-height: 100%; color: {{../colors.background}}; text-decoration: none; border: 12px solid {{../colors.primary}};">{{rating}}</a></b>
<b><a {{#if url}} href="{{url}}" {{/if}} style="display:block; line-height: 100%; color: {{../colors.background}}; text-decoration: none; border: 12px solid {{../colors.primary}};">{{rating}}</a></b>
</p>
</div></td>
</tr>
Expand All @@ -106,7 +106,7 @@ table.ee_mobiletemplate { table-layout: fixed !important; }
</tbody>
</table></td></tr></tbody></table>
<div class="ee_editable ee_element">
{{{outro}}}
{{outro}}
</div></td>
</tr>
</tbody>
Expand Down
6 changes: 3 additions & 3 deletions src/templates/zonky-survey.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ table.ee_mobiletemplate { table-layout: fixed !important; }
<tr>
<td width="100%" valign="top" class="ee_dropzone ved-scaled-cols" align="{{left}}" style="width: 530px; padding-top: 0px;padding-{{right}}: 0px;padding-bottom: 0px;padding-{{left}}: 0px;"><div class="ee_editable ee_element">
<img src="https://zonky.cz/images/logo/logo-satismeter.png" class="ee_logo" style="float: right; margin-top: -10px; width: 116px; height: 35px;"/>
{{{intro}}}
{{intro}}
<img src="https://zonky.cz/images/zebra/zebra-point-self-fill-flipped.png" class="ee_intro_img" style="float: right; width: 76px; height: 80px; margin-right: 50px;"/>
<p class="ee_question_outer" style="margin: 0px; margin-top: 30px; line-height: 150%; font-family: arial, helvetica, sans-serif; text-align: {{left}}; font-size: 15px; color: rgb(69, 69, 69);">
{{question}}
Expand All @@ -114,7 +114,7 @@ table.ee_mobiletemplate { table-layout: fixed !important; }
<tr>
<td class="ee_pad" style="width: auto; padding: 0px;"><div class="ee_editable eev_element" style="width: 43px;">
<p style="margin: 0px; text-align: center; font-family: arial, helvetica, sans-serif; color: rgb(255, 255, 255); font-size: 14px;">
<b><a {{#if url}} href="{{{url}}}" {{/if}} style="display:block; line-height: 100%; color: {{../colors.background}}; text-decoration: none; border: 12px solid {{../colors.primary}};">{{rating}}</a></b>
<b><a {{#if url}} href="{{url}}" {{/if}} style="display:block; line-height: 100%; color: {{../colors.background}}; text-decoration: none; border: 12px solid {{../colors.primary}};">{{rating}}</a></b>
</p>
</div></td>
</tr>
Expand Down Expand Up @@ -142,7 +142,7 @@ table.ee_mobiletemplate { table-layout: fixed !important; }
</table></td></tr></tbody></table>
<div class="ee_editable ee_element">
<img src="https://zonky.cz/images/zebra/zebra-think-cropped.png" class="ee_outro_img" style="float: right; margin-bottom: 20px; margin-right: 120px;"/>
{{{outro}}}
{{outro}}
</div></td>
</tr>
</tbody>
Expand Down
Loading

1 comment on commit fdf3f5e

@vercel
Copy link

@vercel vercel bot commented on fdf3f5e May 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

nps-email – ./

nps-email-pied.vercel.app
nps-email-git-master-satismeter1.vercel.app
nps-email-satismeter1.vercel.app

Please sign in to comment.