Fixed issues reported by cure53.de

Fixed issues CLP-01-014 and CLP-01-015
This commit is contained in:
Giulio Cesare Solaroli 2014-05-02 17:14:18 +02:00
parent 03659f6b3d
commit ed6b4edc82
No known key found for this signature in database
GPG Key ID: 22E34C908F02CBA2
5 changed files with 47 additions and 11 deletions

View File

@ -246,6 +246,34 @@ MochiKit.Base.update(Clipperz.Base, {
return result;
},
'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"),
'sanitizeUrl': function(aValue) {
var result;
if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
result = aValue.replace(this.javascriptInjectionPattern, '');
console.log("sanitized url", aValue, result);
} else {
result = aValue;
}
return result;
},
'sanitizeFavicon': function(aValue) {
var result;
if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
result = aValue.replace(this.javascriptInjectionPattern, '');
console.log("sanitized favicon", aValue, result);
} else {
result = aValue;
}
return result;
},
//-------------------------------------------------------------------------
'exception': {

View File

@ -138,7 +138,7 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, {
if (this._hostname == null) {
var actionUrl;
actionUrl = this.configuration()['form']['attributes']['action'];
actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']);
//MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl);
this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
}

View File

@ -100,7 +100,7 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
result.push(option);
for (recordFieldKey in recordFields) {
// TODO: remove the value: field and replace it with element.dom.value = <some value>
option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()}
option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())}
if (recordFieldKey == this.directLoginBinding().fieldKey()) {
option['selected'] = true;
}
@ -150,7 +150,7 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
this.getElement('editModeBox').hide();
this.getElement('viewModeBox').show();
this.getElement('viewValue').update(this.directLoginBinding().field().label());
this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label()));
//MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode");
},

View File

@ -38,7 +38,7 @@ Clipperz.PM.DataModel.DirectLogin = function(args) {
this._record = args.record || null;
this._label = args.label || "unnamed record"
this._reference = args.reference || Clipperz.PM.Crypto.randomKey();
this._favicon = args.favicon || null;
this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
this._bookmarkletVersion = args.bookmarkletVersion || "0.1";
this._directLoginInputs = null;
@ -102,9 +102,9 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
var actionUrl;
var hostname;
actionUrl = this.formData()['attributes']['action'];
actionUrl = this.action();
hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
this._favicon = "http://" + hostname + "/favicon.ico";
this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico");
}
return this._favicon;
@ -137,6 +137,14 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
this._fixedFavicon = aValue;
},
'action': function () {
var result;
result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']);
return result;
},
//-------------------------------------------------------------------------
'bookmarkletVersion': function() {
@ -442,7 +450,7 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
//MochiKit.Logging.logDebug("### runDirectLogin - 4");
//console.log(this.formData()['attributes']);
formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, { 'method':this.formData()['attributes']['method'],
'action':this.formData()['attributes']['action']}));
'action': this.action()}));
//MochiKit.Logging.logDebug("### runDirectLogin - 5");
formSubmitFunction = MochiKit.Base.method(formElement, 'submit');
//MochiKit.Logging.logDebug("### runDirectLogin - 6");
@ -487,9 +495,9 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
//console.log("formData.attributes", this.formData()['attributes']);
// if (/^javascript/.test(this.formData()['attributes']['action'])) {
if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) &&
(this.formData()['attributes']['type'] != 'http_auth'))
{
if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) &&
(this.formData()['attributes']['type'] != 'http_auth')
) {
var messageBoxConfiguration;
if (typeof(aNewWindow) != 'undefined') {

View File

@ -47,7 +47,7 @@ Clipperz.PM.DataModel.DirectLoginReference = function(args) {
this._reference = args.reference;
this._recordReference = args.record;
this._label = args.label;
this._favicon = args.favicon || null;
this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
this._directLogin = null;
this._record = null;