From e8f2ba924c7032b63e5bd6e02a8726f7bd124510 Mon Sep 17 00:00:00 2001 From: Samuel Clay Date: Thu, 18 Jan 2018 15:27:18 -0800 Subject: [PATCH] Fixing XSS on search query. Thanks to @reybango for discovering and disclosing this vulnerability. --- media/js/newsblur/common/router.js | 19 ++++++++++++++----- media/js/newsblur/views/feed_search_view.js | 2 +- media/js/vendor/jquery.newsblur.js | 2 +- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/media/js/newsblur/common/router.js b/media/js/newsblur/common/router.js index 42a4813fe..0acd14a3d 100644 --- a/media/js/newsblur/common/router.js +++ b/media/js/newsblur/common/router.js @@ -32,7 +32,7 @@ NEWSBLUR.Router = Backbone.Router.extend({ // NEWSBLUR.log(["site", site_id, slug]); site_id = parseInt(site_id, 10); var feed = NEWSBLUR.assets.get_feed(site_id); - var query = $.getQueryString('search'); + var query = this.extract_query(); if (query) { NEWSBLUR.reader.flags.searching = true; NEWSBLUR.reader.flags.search = query; @@ -55,7 +55,7 @@ NEWSBLUR.Router = Backbone.Router.extend({ var options = { router: true }; - var query = $.getQueryString('search'); + var query = this.extract_query(); if (query) { NEWSBLUR.reader.flags.searching = true; NEWSBLUR.reader.flags.search = query; @@ -70,7 +70,7 @@ NEWSBLUR.Router = Backbone.Router.extend({ router: true, tag: tag }; - var query = $.getQueryString('search'); + var query = this.extract_query(); if (query) { NEWSBLUR.reader.flags.searching = true; NEWSBLUR.reader.flags.search = query; @@ -84,7 +84,7 @@ NEWSBLUR.Router = Backbone.Router.extend({ folder_name = folder_name.replace(/-/g, ' '); // NEWSBLUR.log(["folder", folder_name]); var options = {router: true}; - var query = $.getQueryString('search'); + var query = this.extract_query(); if (query) { NEWSBLUR.reader.flags.searching = true; NEWSBLUR.reader.flags.search = query; @@ -111,7 +111,7 @@ NEWSBLUR.Router = Backbone.Router.extend({ social: function(user_id, slug) { NEWSBLUR.log(["router:social", user_id, slug]); - var query = $.getQueryString('search'); + var query = this.extract_query(); if (query) { NEWSBLUR.reader.flags.searching = true; NEWSBLUR.reader.flags.search = query; @@ -134,6 +134,15 @@ NEWSBLUR.Router = Backbone.Router.extend({ } }, + extract_query: function() { + var search = $.getQueryString('search'); + var sanitized = search.replace(/[^\w\s]+/g, " "); + + // console.log('extract_query', search, sanitized); + + return sanitized; + }, + user: function(user) { NEWSBLUR.log(["user", user]); } diff --git a/media/js/newsblur/views/feed_search_view.js b/media/js/newsblur/views/feed_search_view.js index 528650df7..1a816c59a 100644 --- a/media/js/newsblur/views/feed_search_view.js +++ b/media/js/newsblur/views/feed_search_view.js @@ -176,7 +176,7 @@ NEWSBLUR.Views.FeedSearchView = Backbone.View.extend({ search: function() { var $search = this.$("input[name=feed_search]"); - var query = $search.val(); + var query = _.escape($search.val()); if (query != NEWSBLUR.reader.flags.search) { NEWSBLUR.reader.flags.searching = true; diff --git a/media/js/vendor/jquery.newsblur.js b/media/js/vendor/jquery.newsblur.js index eb9b3fd5b..995f972d0 100644 --- a/media/js/vendor/jquery.newsblur.js +++ b/media/js/vendor/jquery.newsblur.js @@ -441,7 +441,7 @@ NEWSBLUR.log = function(msg) { while (e = r.exec(q)) params[d(e[1])] = d(e[2]); - // console.log(['get query string', name, params, params[name]]); + return params[name]; },