Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits.

[Jiten Bhagat]

Hi Dan,

Just a note that with the tooltips, the idea is to sometimes allow HTML,
so that richer tooltips can be shown (ie: with lists, bold text, italic
text, etc). By changing it in the core method this might "break"
existing tooltips?

Cheers,
Jits


address@hidden wrote:
>
> Revision
>     2394
> Author
>     dtm
> Date
>     2010-04-27 12:18:07 -0400 (Tue, 27 Apr 2010)
>
>
>       Log Message
>
> Fix for case 98981 - javascript injection in Pack name, reported by Jits.
> Fix for javascript injection in tooltips.
>
>
>       Modified Paths
>
>     * trunk/app/helpers/application_helper.rb
>       <#trunkapphelpersapplication_helperrb>
>     * trunk/app/views/group_announcements/index.rhtml
>       <#trunkappviewsgroup_announcementsindexrhtml>
>     * trunk/app/views/networks/_announcements.rhtml
>       <#trunkappviewsnetworks_announcementsrhtml>
>
>
>       Diff
>
>
>         Modified: trunk/app/helpers/application_helper.rb (2393 => 2394)
>
>
> --- trunk/app/helpers/application_helper.rb   2010-04-27 15:41:01 UTC (rev 
> 2393)
> +++ trunk/app/helpers/application_helper.rb   2010-04-27 16:18:07 UTC (rev 
> 2394)
> @@ -390,7 +390,7 @@
>        end
>      when "Pack"
>        if p = Pack.find(:first, :conditions => ["id = ?", contributableid])
> -        return link ? link_to(p.title, pack_url(p)) : h(p.title)
> +        return link ? link_to(h(p.title), pack_url(p)) : h(p.title)
>        else
>          return nil
>        end
> @@ -990,7 +990,7 @@
>    end
>    
>    def tooltip_title_attrib(text, delay=200)
> -    return "header=[] body=[#{text}] cssheader=[boxoverTooltipHeader] 
> cssbody=[boxoverTooltipBody] delay=[#{delay}]"
> +    return "header=[] body=[#{h(text)}] cssheader=[boxoverTooltipHeader] 
> cssbody=[boxoverTooltipBody] delay=[#{delay}]"
>    end
>    
>    # This method checks to see if the current user is allowed to approve a 
> membership that is still pending approval
>
>
>         Modified: trunk/app/views/group_announcements/index.rhtml
>         (2393 => 2394)
>
>
> --- trunk/app/views/group_announcements/index.rhtml   2010-04-27 15:41:01 UTC 
> (rev 2393)
> +++ trunk/app/views/group_announcements/index.rhtml   2010-04-27 16:18:07 UTC 
> (rev 2394)
> @@ -5,7 +5,7 @@
>  <% end %>
>  
>  <h1>
> -     <%= feed_icon_tag "Group address@hidden Announcements", 
> formatted_group_announcements_path(@group, :rss) %>
> +     <%= feed_icon_tag "Group #{h(@group.title)} Announcements", 
> formatted_group_announcements_path(@group, :rss) %>
>       <%= @group.announcements_in_public_mode_for_user(current_user) ? 
> "Public " : "All " -%> Group Announcements (<%= @announcements.length %>)
>       <br/>
>       <span style="font-size: 77%;">for group: <%= link_to_function 
> h(@group.title) + expand_image, visual_effect(:toggle_blind, "group_box", 
> :duration => 0.3) -%></span>
>
>
>         Modified: trunk/app/views/networks/_announcements.rhtml (2393
>         => 2394)
>
>
> --- trunk/app/views/networks/_announcements.rhtml     2010-04-27 15:41:01 UTC 
> (rev 2393)
> +++ trunk/app/views/networks/_announcements.rhtml     2010-04-27 16:18:07 UTC 
> (rev 2394)
> @@ -6,7 +6,7 @@
>       
>       <p class="heading" style="margin: 0;">
>               <span style="position: relative; z-index: 1000; float: left;">
> -                     <%= feed_icon_tag "#{group.title} Group Announcements", 
> formatted_group_announcements_path(group, :rss) -%>
> +                     <%= feed_icon_tag "#{h(group.title)} Group 
> Announcements", formatted_group_announcements_path(group, :rss) -%>
>               </span>
>               <a name="group_announcements"></a>
>               <%= link_to "Announcements", group_announcements_url(group) -%>
> ------------------------------------------------------------------------
>
> _______________________________________________
> myexperiment-hackers mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
>