From fe1b6e4c5966be055d9dc03efe9c00d23ec55fc1 Mon Sep 17 00:00:00 2001
From: Christian Mueller <chmllr@me.com>
Date: Sun, 10 Jun 2012 23:01:32 +0200
Subject: [PATCH] all user inputs escaped

---
 src/NoteHub/views/common.clj | 45 +++++++++++++++++++-----------------
 src/NoteHub/views/pages.clj  |  9 +++++---
 2 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/src/NoteHub/views/common.clj b/src/NoteHub/views/common.clj
index b92951d..0f3e8d0 100644
--- a/src/NoteHub/views/common.clj
+++ b/src/NoteHub/views/common.clj
@@ -4,33 +4,36 @@
     [NoteHub.views.css-generator]
     [noir.core :only [defpartial]]
     [noir.options :only [dev-mode?]]
+    [hiccup.util :only [escape-html]]
     [hiccup.page :only [include-js html5]]
     [hiccup.element :only [javascript-tag]]))
 
 ; Creates the main html layout
 (defpartial generate-layout 
             [params title & content]
-            (html5
-              [:head
-               [:title (print-str (get-message :name) "&mdash;" title)]
-               [:link {:href 
-                       (clojure.string/replace
-                         (str "http://fonts.googleapis.com/css?family="
-                              (apply str
-                                     (interpose "|" (concat ["PT+Serif:700" "Noticia+Text:700"]
-                                                            (vals (select-keys params 
-                                                                               [:header-font :text-font])))))
-                              "&subset=latin,cyrillic") " " "+")
-                       :rel "stylesheet"
-                       :type "text/css"}]
-               [:style {:type "text/css"} (global-css params)]
-               (if-not dev-mode? (include-js "/js/google-analytics.js"))]
-              (if (params :js)
-                [:body content
-                 (javascript-tag "var CLOSURE_NO_DEPS = true;")
-                 (include-js "https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js")
-                 (include-js "/cljs/main.js")]
-                [:body content])))
+            ; for the sake of security: escape all symbols of the param values
+            (let [params (into {} (for [[k v] params] [k (escape-html v)]))]
+              (html5
+                [:head
+                 [:title (print-str (get-message :name) "&mdash;" title)]
+                 [:link {:href 
+                         (clojure.string/replace
+                           (str "http://fonts.googleapis.com/css?family="
+                                (apply str
+                                       (interpose "|" (concat ["PT+Serif:700" "Noticia+Text:700"]
+                                                              (vals (select-keys params 
+                                                                                 [:header-font :text-font])))))
+                                "&subset=latin,cyrillic") " " "+")
+                         :rel "stylesheet"
+                         :type "text/css"}]
+                 [:style {:type "text/css"} (global-css params)]
+                 (if-not dev-mode? (include-js "/js/google-analytics.js"))]
+                (if (params :js)
+                  [:body content
+                   (javascript-tag "var CLOSURE_NO_DEPS = true;")
+                   (include-js "https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js")
+                   (include-js "/cljs/main.js")]
+                  [:body content]))))
 
 (defn layout
   "Generates the main html layout"
diff --git a/src/NoteHub/views/pages.clj b/src/NoteHub/views/pages.clj
index 53fda65..6d5f6e1 100644
--- a/src/NoteHub/views/pages.clj
+++ b/src/NoteHub/views/pages.clj
@@ -8,7 +8,8 @@
     [clojure.string :rename {replace sreplace} :only [split replace lower-case]]
     [clojure.core.incubator :only [-?>]]
     [hiccup.form]
-    [hiccup.page]
+    [hiccup.core]
+    [hiccup.util :only [escape-html]]
     [noir.session :only [flash-put! flash-get]]
     [noir.response :only [redirect status]]
     [noir.core :only [defpage render]]
@@ -69,7 +70,7 @@
                  [:table.central-element.helvetica-neue
                   [:tr
                    (for [e [:column-why :column-how :column-geeks]]
-                     (html5  
+                     (html  
                        [:td.one-third-column
                         [:h2 (get-message e)] (md-to-html (get-message (keyword (str (name e) "-long"))))]))]]
                  [:div.centered.helvetica-neue (md-to-html (get-message :created-by))]))
@@ -119,7 +120,7 @@
 ; New Note Posting
 (defpage [:post "/post-note"] {:keys [draft session-key session-value]}
          (let [valid-session (flash-get session-key) ; it was posted from a newly generated form
-               valid-draft (not (empty? draft)) ; the note is non-empty
+               valid-draft (not (ccs/blank? draft)) ; the note has a meaningful content
                valid-hash (try
                             (= (Short/parseShort session-value) ; the hash code is correct 
                                (lib/hash #(.codePointAt % 0) (str draft session-key)))
@@ -128,6 +129,8 @@
            (if (and valid-session valid-draft valid-hash)
              (let [[year month day] (map #(+ (second %) (.get (Calendar/getInstance) (first %))) 
                                          {Calendar/YEAR 0, Calendar/MONTH 1, Calendar/DAY_OF_MONTH 0})
+                   ; This is the _only_ point where user's content enters the web app, so we escape the content.
+                   draft (escape-html draft)
                    untrimmed-line (filter #(or (= \- %) (Character/isLetterOrDigit %)) 
                                           (-> draft ccs/split-lines first (sreplace " " "-") lower-case))
                    trim (fn [s] (apply str (drop-while #(= \- %) s)))