Commit 4694c012 authored by Curtis Adam's avatar Curtis Adam

Merge branch 'xss-frontend' into 'staging'

Xss frontend

See merge request arsnova/flashcards!807
parents 60e362a6 a76da74b
......@@ -70,3 +70,4 @@ czbaker:lightbox2
fastclick
jquery@1.11.10
east5th:package-scan
wtfzn:dompurify
......@@ -253,4 +253,5 @@ url@1.2.0
webapp@1.5.0
webapp-hashing@1.0.9
wtfzn:bootstrap-markdown@2.8.0
wtfzn:dompurify@0.6.1
zimme:active-route@2.3.2
export const DOMPurifyConfig = {
FORBID_TAGS: ['style'],
FORBID_ATTR: ['style']
};
......@@ -12,6 +12,8 @@ import {toggleFullscreen} from "../../ui/card/card";
import {Paid} from "../../api/paid";
import {getUserLanguage} from "../../startup/client/i18n";
import {gotDifficultyLevel, gotNotesForDifficultyLevel} from "../../api/cardTypes";
import DOMPurify from 'dompurify';
import {DOMPurifyConfig} from "../../api/dompurify.js";
Meteor.subscribe("collegesCourses");
......@@ -68,7 +70,7 @@ Template.registerHelper("getNextCardTime", function () {
});
Template.registerHelper("getKind", function (kind) {
switch (kind) {
switch (DOMPurify.sanitize(kind, DOMPurifyConfig)) {
case "free":
return '<span class="label label-free" data-id="free">Free</span>';
case "edu":
......@@ -481,7 +483,7 @@ Template.registerHelper("getMaximumText", function (text) {
const helper = new MeteorMathJax.Helper({
useCache: true,
transform: function (x) {
return lib.setLightBoxes(window.markdeep.format(x, true));
return DOMPurify.sanitize(lib.setLightBoxes(window.markdeep.format(x, true)));
}
});
......
......@@ -8,6 +8,8 @@ import {Cardsets} from "../../../api/cardsets.js";
import "./admin_cards.html";
import "./admin_card.js";
import {getAuthorName} from "../../../api/cardsetUserlist.js";
import DOMPurify from 'dompurify';
import {DOMPurifyConfig} from "../../../api/dompurify.js";
/*
* ############################################################################
......@@ -24,12 +26,12 @@ Template.admin_cards.helpers({
var cardset = Cardsets.findOne({_id: card.cardset_id});
fields.push({
"_id": card._id,
"front": card.front,
"back": card.back,
"front": DOMPurify.sanitize(card.front, DOMPurifyConfig),
"back": DOMPurify.sanitize(card.back, DOMPurifyConfig),
"cardset_id": card.cardset_id,
"cardsetname": cardset.name,
"cardsetname": DOMPurify.sanitize(cardset.name, DOMPurifyConfig),
"user_id": cardset.owner,
"username": getAuthorName(cardset.owner),
"username": DOMPurify.sanitize(getAuthorName(cardset.owner), DOMPurifyConfig),
"userDeleted": cardset.userDeleted
});
});
......
......@@ -8,6 +8,8 @@ import {getAuthorName} from "../../../api/cardsetUserlist.js";
import {getUserLanguage} from "../../../startup/client/i18n";
import "./admin_cardsets.html";
import "./admin_cardset.js";
import DOMPurify from 'dompurify';
import {DOMPurifyConfig} from "../../../api/dompurify.js";
/*
* ############################################################################
......@@ -37,10 +39,10 @@ Template.admin_cardsets.helpers({
}
fields.push({
"_id": cardset._id,
"name": cardset.name,
"kind": kind,
"name": DOMPurify.sanitize(cardset.name, DOMPurifyConfig),
"kind": DOMPurify.sanitize(kind, DOMPurifyConfig),
"wordcloud": cardset.wordcloud,
"username": getAuthorName(cardset.owner),
"username": DOMPurify.sanitize(getAuthorName(cardset.owner), DOMPurifyConfig),
"owner": cardset.owner,
"userDeleted": cardset.userDeleted,
"dateString": dateString,
......
......@@ -7,7 +7,8 @@ import {Cardsets} from "../../../api/cardsets.js";
import {getUserLanguage} from "../../../startup/client/i18n";
import "./admin_users.html";
import "./admin_user.js";
import DOMPurify from 'dompurify';
import {DOMPurifyConfig} from "../../../api/dompurify.js";
Meteor.subscribe('allUsers');
......@@ -27,7 +28,7 @@ Template.admin_users.helpers({
users.forEach(function (user) {
dateString = moment(user.createdAt).locale(getUserLanguage()).format('LL');
date = moment(user.createdAt).format("YYYY-MM-DD");
fields.push({"_id": user._id, "profilename": user.profile.name, "dateString": dateString, "date": date});
fields.push({"_id": user._id, "profilename": DOMPurify.sanitize(user.profile.name, DOMPurifyConfig), "dateString": dateString, "date": date});
});
return fields;
......
......@@ -20,6 +20,8 @@ import {
gotPresentationMode
} from "../../api/cardTypes";
import {getTargetAudienceName} from "../../api/targetAudience";
import DOMPurify from 'dompurify';
import {DOMPurifyConfig} from "../../api/dompurify.js";
Meteor.subscribe("cardsets");
Meteor.subscribe("paid");
......@@ -341,7 +343,7 @@ Template.cardsetInfo.onRendered(function () {
Template.cardsetInfo.helpers({
getKind: function () {
switch (this.kind) {
switch (DOMPurify.sanitize(this.kind, DOMPurifyConfig)) {
case "personal":
return '<span class="label label-warning">Private</span>';
case "free":
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment