Skip to content

Commit

Permalink
Merge pull request #868 from xdg-forks/sanitize-instead-of-escape
Browse files Browse the repository at this point in the history 
Sanitize instead of escape
  • Loading branch information
@plural
plural authored Nov 29, 2024
2 parents 66bfa21 + 61620ef commit a77bec7
Show file tree
Hide file tree
Showing 8 changed files with 28 additions and 25 deletions.
2 changes: 1 addition & 1 deletion app/Resources/views/layout.html.twig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.24.0/moment.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/localforage/1.7.3/localforage.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/intro.js/2.9.3/intro.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.9/purify.min.js"></script>
<script src="{{ asset('/lib/bootstrap-toggle-checklist.js') }}"></script>
<script src="{{ asset('/lib/jquery-persistence.js') }}"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.1/cookieconsent.min.js"></script>
Expand Down Expand Up @@ -99,7 +100,6 @@
gtag('config', 'UA-131671930-1');
</script>
{% endif %}
<script src="{{ asset('/js/sanitize.js') }}"></script>
<script src="{{ asset('/js/nrdb.js') }}"></script>
<script src="{{ asset('/js/nrdb.user.js') }}"></script>
<script src="{{ asset('/js/nrdb.data.js') }}"></script>
Expand Down
6 changes: 4 additions & 2 deletions src/AppBundle/Controller/BuilderController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
use AppBundle\Service\CardsData;
use AppBundle\Service\DeckManager;
use AppBundle\Service\Judge;
use AppBundle\Service\TextProcessor;
use Doctrine\ORM\EntityManagerInterface;
use Psr\Log\LoggerInterface;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
Expand Down Expand Up @@ -630,11 +631,12 @@ public function octgnExportAction(Deck $deck)
* @param Request $request
* @param EntityManagerInterface $entityManager
* @param DeckManager $deckManager
* @param TextProcessor $textProcessor
* @return \Symfony\Component\HttpFoundation\RedirectResponse|Response
*
* @IsGranted("IS_AUTHENTICATED_REMEMBERED")
*/
public function saveAction(Request $request, EntityManagerInterface $entityManager, DeckManager $deckManager)
public function saveAction(Request $request, EntityManagerInterface $entityManager, DeckManager $deckManager, TextProcessor $textProcessor)
{
/** @var User $user */
$user = $this->getUser();
Expand Down Expand Up @@ -674,7 +676,7 @@ public function saveAction(Request $request, EntityManagerInterface $entityManag
}
$name = filter_var($request->get('name'), FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
$decklist_id = intval(filter_var($request->get('decklist_id'), FILTER_SANITIZE_NUMBER_INT));
$description = filter_var(trim(($request->get('description'))), FILTER_SANITIZE_SPECIAL_CHARS);
$description = $textProcessor->purify(trim($request->get('description')));
$tags = explode(',', filter_var($request->get('tags'), FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES));
$mwl_code = $request->get('format_casual') ? null : $request->get('mwl_code');

Expand Down
3 changes: 2 additions & 1 deletion web/js/deck.v2.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,8 @@ $(function() {
var converter = new Markdown.Converter();
$('#description').on('keyup', function() {
$('#description-preview').html(
converter.makeHtml(escapeHtml($('#description').val())));
DOMPurify.sanitize(converter.makeHtml($('#description').val()))
);
});

$('#description').textcomplete([{
Expand Down
8 changes: 5 additions & 3 deletions web/js/decklist.v2.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ function setup_comment_form() {
$('#comment-form-text').on(
'keyup',
function () {
$('#comment-form-preview').html(converter.makeHtml(escapeHtml($('#comment-form-text').val())));
$('#comment-form-preview').html(DOMPurify.sanitize(converter.makeHtml($('#comment-form-text').val())));
}
);

Expand Down Expand Up @@ -385,10 +385,12 @@ function edit_form() {

var converter = new Markdown.Converter();
$('#publish-decklist-description-preview').html(
converter.makeHtml(escapeHtml($('#publish-decklist-description').val())));
DOMPurify.sanitize(converter.makeHtml($('#publish-decklist-description').val()))
);
$('#publish-decklist-description').on('keyup', function() {
$('#publish-decklist-description-preview').html(
converter.makeHtml(escapeHtml($('#publish-decklist-description').val())));
DOMPurify.sanitize(converter.makeHtml($('#publish-decklist-description').val()))
);
});

$('#publish-decklist-description').textcomplete([{
Expand Down
8 changes: 7 additions & 1 deletion web/js/deckview.v2.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,13 @@ $(function() {
});

var converter = new Markdown.Converter();
$('#description').html(converter.makeHtml(SelectedDeck.description ? SelectedDeck.description : '<i>No description.</i>'));
$('#description').html(
DOMPurify.sanitize(
converter.makeHtml(
SelectedDeck.description ? SelectedDeck.description : '<i>No description.</i>'
)
)
);

$('.btn-actions').on({
click: do_action_deck
Expand Down
7 changes: 5 additions & 2 deletions web/js/publish_deck_form.v2.js
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
function initialize_publish_deck_form_typeahead() {
var converter = new Markdown.Converter();
$('#publish-decklist-description-preview').html(
converter.makeHtml($('#publish-decklist-description').val()));
DOMPurify.sanitize(converter.makeHtml($('#publish-decklist-description').val()))
);

$('#publish-decklist-description').on('keyup', function() {
$('#publish-decklist-description-preview').html(
converter.makeHtml($('#publish-decklist-description').val()));
DOMPurify.sanitize(converter.makeHtml($('#publish-decklist-description').val()))
);
});

$('#publish-decklist-description').textcomplete([{
Expand Down
11 changes: 0 additions & 11 deletions web/js/sanitize.js
View file

This file was deleted.

8 changes: 4 additions & 4 deletions web/js/zoom.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ function add_ruling(event) {
$('#add-ruling-form-text').on(
'keyup',
function () {
$('#add-ruling-form-preview').html(converter.makeHtml($('#add-ruling-form-text').val()));
$('#add-ruling-form-preview').html(DOMPurify.sanitize(converter.makeHtml($('#add-ruling-form-text').val())));
}
);

Expand Down Expand Up @@ -105,7 +105,7 @@ function edit_ruling(event) {
$('#edit-ruling-form-text').on(
'keyup',
function () {
$('#edit-ruling-form-preview').html(converter.makeHtml($('#edit-ruling-form-text').val()));
$('#edit-ruling-form-preview').html(DOMPurify.sanitize(converter.makeHtml($('#edit-ruling-form-text').val())));
}
);

Expand Down Expand Up @@ -175,7 +175,7 @@ function write_comment(event) {
$('.comment-form-text').on(
'keyup',
function () {
$('.comment-form-preview').html(converter.makeHtml($('.comment-form-text').val()));
$('.comment-form-preview').html(DOMPurify.sanitize(converter.makeHtml($('.comment-form-text').val())));
}
);

Expand Down Expand Up @@ -318,7 +318,7 @@ function write_review_open(event) {
$('.review-form-text').on(
'keyup',
function () {
$('.review-form-preview').html(converter.makeHtml(escapeHtml($('.review-form-text').val())));
$('.review-form-preview').html(DOMPurify.sanitize(converter.makeHtml($('.review-form-text').val())));
}
);

Expand Down

0 comments on commit a77bec7

Please sign in to comment.