all user inputs escaped

14 years ago · fe1b6e4c59
2 changed files with 30 additions and 24 deletions
--- a/src/NoteHub/views/common.clj
+++ b/src/NoteHub/views/common.clj
@ -4,33 +4,36 @@
				@@ -4,33 +4,36 @@
    [NoteHub.views.css-generator]
    [noir.core :only [defpartial]]
    [noir.options :only [dev-mode?]]
+    [hiccup.util :only [escape-html]]
    [hiccup.page :only [include-js html5]]
    [hiccup.element :only [javascript-tag]]))

 ; Creates the main html layout
 (defpartial generate-layout 
            [params title & content]
-            (html5
-              [:head
-               [:title (print-str (get-message :name) "&mdash;" title)]
-               [:link {:href 
-                       (clojure.string/replace
-                         (str "http://fonts.googleapis.com/css?family="
-                              (apply str
-                                     (interpose "|" (concat ["PT+Serif:700" "Noticia+Text:700"]
-                                                            (vals (select-keys params 
-                                                                               [:header-font :text-font])))))
-                              "&subset=latin,cyrillic") " " "+")
-                       :rel "stylesheet"
-                       :type "text/css"}]
-               [:style {:type "text/css"} (global-css params)]
-               (if-not dev-mode? (include-js "/js/google-analytics.js"))]
-              (if (params :js)
-                [:body content
-                 (javascript-tag "var CLOSURE_NO_DEPS = true;")
-                 (include-js "https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js")
-                 (include-js "/cljs/main.js")]
-                [:body content])))
+            ; for the sake of security: escape all symbols of the param values
+            (let [params (into {} (for [[k v] params] [k (escape-html v)]))]
+              (html5
+                [:head
+                 [:title (print-str (get-message :name) "&mdash;" title)]
+                 [:link {:href 
+                         (clojure.string/replace
+                           (str "http://fonts.googleapis.com/css?family="
+                                (apply str
+                                       (interpose "|" (concat ["PT+Serif:700" "Noticia+Text:700"]
+                                                              (vals (select-keys params 
+                                                                                 [:header-font :text-font])))))
+                                "&subset=latin,cyrillic") " " "+")
+                         :rel "stylesheet"
+                         :type "text/css"}]
+                 [:style {:type "text/css"} (global-css params)]
+                 (if-not dev-mode? (include-js "/js/google-analytics.js"))]
+                (if (params :js)
+                  [:body content
+                   (javascript-tag "var CLOSURE_NO_DEPS = true;")
+                   (include-js "https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js")
+                   (include-js "/cljs/main.js")]
+                  [:body content]))))

 (defn layout
  "Generates the main html layout"
--- a/src/NoteHub/views/pages.clj
+++ b/src/NoteHub/views/pages.clj
@ -8,7 +8,8 @@
				@@ -8,7 +8,8 @@
    [clojure.string :rename {replace sreplace} :only [split replace lower-case]]
    [clojure.core.incubator :only [-?>]]
    [hiccup.form]
-    [hiccup.page]
+    [hiccup.core]
+    [hiccup.util :only [escape-html]]
    [noir.session :only [flash-put! flash-get]]
    [noir.response :only [redirect status]]
    [noir.core :only [defpage render]]
@ -69,7 +70,7 @@
				@@ -69,7 +70,7 @@
                 [:table.central-element.helvetica-neue
                  [:tr
                   (for [e [:column-why :column-how :column-geeks]]
-                     (html5  
+                     (html  
                       [:td.one-third-column
                        [:h2 (get-message e)] (md-to-html (get-message (keyword (str (name e) "-long"))))]))]]
                 [:div.centered.helvetica-neue (md-to-html (get-message :created-by))]))
@ -119,7 +120,7 @@
				@@ -119,7 +120,7 @@
 ; New Note Posting
 (defpage [:post "/post-note"] {:keys [draft session-key session-value]}
         (let [valid-session (flash-get session-key) ; it was posted from a newly generated form
-               valid-draft (not (empty? draft)) ; the note is non-empty
+               valid-draft (not (ccs/blank? draft)) ; the note has a meaningful content
               valid-hash (try
                            (= (Short/parseShort session-value) ; the hash code is correct 
                               (lib/hash #(.codePointAt % 0) (str draft session-key)))
@ -128,6 +129,8 @@
				@@ -128,6 +129,8 @@
           (if (and valid-session valid-draft valid-hash)
             (let [[year month day] (map #(+ (second %) (.get (Calendar/getInstance) (first %))) 
                                         {Calendar/YEAR 0, Calendar/MONTH 1, Calendar/DAY_OF_MONTH 0})
+                   ; This is the _only_ point where user's content enters the web app, so we escape the content.
+                   draft (escape-html draft)
                   untrimmed-line (filter #(or (= \- %) (Character/isLetterOrDigit %)) 
                                          (-> draft ccs/split-lines first (sreplace " " "-") lower-case))
                   trim (fn [s] (apply str (drop-while #(= \- %) s)))