Merge pull request #9540 from MrPetovan/bug/9538-security-blind-attack-username

Escape contact names in several HTML snippets/jQuery insert contexts
This commit is contained in:
Michael Vogel 2020-11-18 00:20:43 +01:00 committed by GitHub
commit c6d647b8df
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 39 additions and 47 deletions

View file

@ -133,7 +133,7 @@ function ping_init(App $a)
exit(); exit();
} }
$notifs = ping_get_notifications(local_user()); $notifications = ping_get_notifications(local_user());
$condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)", $condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)",
local_user(), Verb::getID(Activity::FOLLOW)]; local_user(), Verb::getID(Activity::FOLLOW)];
@ -263,8 +263,8 @@ function ping_init(App $a)
$data['birthdays'] = $birthdays; $data['birthdays'] = $birthdays;
$data['birthdays-today'] = $birthdays_today; $data['birthdays-today'] = $birthdays_today;
if (DBA::isResult($notifs)) { if (DBA::isResult($notifications)) {
foreach ($notifs as $notif) { foreach ($notifications as $notif) {
if ($notif['seen'] == 0) { if ($notif['seen'] == 0) {
$sysnotify_count ++; $sysnotify_count ++;
} }
@ -277,14 +277,14 @@ function ping_init(App $a)
$notif = [ $notif = [
'id' => 0, 'id' => 0,
'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'], 'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'],
'name' => $intro['name'], 'name' => BBCode::convert($intro['name']),
'url' => $intro['url'], 'url' => $intro['url'],
'photo' => $intro['photo'], 'photo' => $intro['photo'],
'date' => $intro['datetime'], 'date' => $intro['datetime'],
'seen' => false, 'seen' => false,
'message' => DI::l10n()->t('{0} wants to be your friend'), 'message' => DI::l10n()->t('{0} wants to be your friend'),
]; ];
$notifs[] = $notif; $notifications[] = $notif;
} }
} }
@ -314,7 +314,7 @@ function ping_init(App $a)
'seen' => false, 'seen' => false,
'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1), 'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1),
]; ];
$notifs[] = $notif; $notifications[] = $notif;
} }
} }
@ -337,28 +337,16 @@ function ping_init(App $a)
} }
return ($adate < $bdate) ? 1 : -1; return ($adate < $bdate) ? 1 : -1;
}; };
usort($notifs, $sort_function); usort($notifications, $sort_function);
if (DBA::isResult($notifs)) { array_walk($notifications, function (&$notification) {
foreach ($notifs as $notif) { if (empty($notification['photo'])) {
$contact = Contact::getByURL($notif['url'], false, ['micro', 'id', 'avatar']); $contact = Contact::getByURL($notification['url'], false, ['micro', 'id', 'avatar']);
$notif['photo'] = Contact::getMicro($contact, $notif['photo']); $notification['photo'] = Contact::getMicro($contact, $notif['photo']);
$local_time = DateTimeFormat::local($notif['date']);
$notifications[] = [
'id' => $notif['id'],
'href' => $notif['href'],
'name' => $notif['name'],
'url' => $notif['url'],
'photo' => $notif['photo'],
'date' => Temporal::getRelativeDate($notif['date']),
'message' => $notif['message'],
'seen' => $notif['seen'],
'timestamp' => strtotime($local_time)
];
}
} }
$notification['timestamp'] = DateTimeFormat::local($notification['date']);
});
} }
$sysmsgs = []; $sysmsgs = [];

View file

@ -23,6 +23,7 @@ namespace Friendica\Module\Notifications;
use Friendica\Content\ContactSelector; use Friendica\Content\ContactSelector;
use Friendica\Content\Nav; use Friendica\Content\Nav;
use Friendica\Content\Text\BBCode;
use Friendica\Core\Protocol; use Friendica\Core\Protocol;
use Friendica\Core\Renderer; use Friendica\Core\Renderer;
use Friendica\Database\DBA; use Friendica\Database\DBA;
@ -124,9 +125,11 @@ class Introductions extends BaseNotifications
$knowyou = ''; $knowyou = '';
} }
$convertedName = BBCode::convert($notification->getName());
$helptext = DI::l10n()->t('Shall your connection be bidirectional or not?'); $helptext = DI::l10n()->t('Shall your connection be bidirectional or not?');
$helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $notification->getName(), $notification->getName()); $helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $convertedName, $convertedName);
$helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $notification->getName()); $helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $convertedName);
$friend = ['duplex', DI::l10n()->t('Friend'), '1', $helptext2, true]; $friend = ['duplex', DI::l10n()->t('Friend'), '1', $helptext2, true];
$follower = ['duplex', DI::l10n()->t('Subscriber'), '0', $helptext3, false]; $follower = ['duplex', DI::l10n()->t('Subscriber'), '0', $helptext3, false];

View file

@ -4,7 +4,7 @@
$("nav").bind('nav-update', function(e,data){ $("nav").bind('nav-update', function(e,data){
var elm = $('#pending-update'); var elm = $('#pending-update');
var register = $(data).find('register').text(); var register = $(data).find('register').html();
if (register=="0") { register=""; elm.hide();} else { elm.show(); } if (register=="0") { register=""; elm.hide();} else { elm.show(); }
elm.html(register); elm.html(register);
}); });

View file

@ -168,7 +168,7 @@
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-public').hide(); $('#jot-public').hide();
}); });
if(selstr == null) { if(selstr == null) {

View file

@ -10,7 +10,7 @@
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-perms-icon').removeClass('unlock').addClass('lock');
$('#jot-public').hide(); $('#jot-public').hide();
}); });

View file

@ -9,7 +9,7 @@
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-perms-icon').removeClass('unlock').addClass('lock');
$('#jot-public').hide(); $('#jot-public').hide();
}); });

View file

@ -23,7 +23,7 @@ $(document).ready(function() {
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-public').hide(); $('#jot-public').hide();
}); });
if (selstr == null) { if (selstr == null) {

View file

@ -5,7 +5,7 @@ $(document).ready(function() {
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-perms-icon').removeClass('unlock').addClass('lock');
$('#jot-public').hide(); $('#jot-public').hide();
}); });

View file

@ -192,12 +192,12 @@ function loadModalTitle() {
var title = ""; var title = "";
// Get the text of the first element with "heading" class. // Get the text of the first element with "heading" class.
title = $("#modal-body .heading").first().text(); title = $("#modal-body .heading").first().html();
// for event modals we need some speacial handling // for event modals we need some speacial handling
if($("#modal-body .event-wrapper .event-summary").length) { if($("#modal-body .event-wrapper .event-summary").length) {
title = '<i class="fa fa-calendar" aria-hidden="true"></i>&nbsp;'; title = '<i class="fa fa-calendar" aria-hidden="true"></i>&nbsp;';
var eventsum = $("#modal-body .event-wrapper .event-summary").text(); var eventsum = $("#modal-body .event-wrapper .event-summary").html();
title = title + eventsum; title = title + eventsum;
} }

View file

@ -146,7 +146,7 @@ $(document).ready(function(){
if( $(".search-content-wrapper").length ) { if( $(".search-content-wrapper").length ) {
// get the text of the heading (we catch the plain text because we don't // get the text of the heading (we catch the plain text because we don't
// want to have a h4 heading in the navbar // want to have a h4 heading in the navbar
var searchText = $(".section-title-wrapper > h2").text(); var searchText = $(".section-title-wrapper > h2").html();
// insert the plain text in a <h4> heading and give it a class // insert the plain text in a <h4> heading and give it a class
var newText = '<h4 class="search-heading">'+searchText+'</h4>'; var newText = '<h4 class="search-heading">'+searchText+'</h4>';
// append the new heading to the navbar // append the new heading to the navbar
@ -208,7 +208,7 @@ $(document).ready(function(){
// get the heading element // get the heading element
var heading = $(".network-content-wrapper > .section-title-wrapper > h2"); var heading = $(".network-content-wrapper > .section-title-wrapper > h2");
// get the text of the heading // get the text of the heading
var headingContent = heading.text(); var headingContent = heading.html();
// create a new element with the content of the heading // create a new element with the content of the heading
var newText = '<h4 class="heading" data-toggle="tooltip" title="'+headingContent+'">'+headingContent+'</h4>'; var newText = '<h4 class="heading" data-toggle="tooltip" title="'+headingContent+'">'+headingContent+'</h4>';
// remove the old heading element // remove the old heading element
@ -221,7 +221,7 @@ $(document).ready(function(){
// get the heading element // get the heading element
var heading = $(".community-content-wrapper > h3").first(); var heading = $(".community-content-wrapper > h3").first();
// get the text of the heading // get the text of the heading
var headingContent = heading.text(); var headingContent = heading.html();
// create a new element with the content of the heading // create a new element with the content of the heading
var newText = '<h4 class="heading">'+headingContent+'</h4>'; var newText = '<h4 class="heading">'+headingContent+'</h4>';
// remove the old heading element // remove the old heading element
@ -790,7 +790,7 @@ function bin2hex (s) {
// Dropdown menus with the class "dropdown-head" will display the active tab // Dropdown menus with the class "dropdown-head" will display the active tab
// as button text // as button text
function toggleDropdownText(elm) { function toggleDropdownText(elm) {
$(elm).closest(".dropdown").find('.btn').html($(elm).text() + ' <span class="caret"></span>'); $(elm).closest(".dropdown").find('.btn').html($(elm).html() + ' <span class="caret"></span>');
$(elm).closest(".dropdown").find('.btn').val($(elm).data('value')); $(elm).closest(".dropdown").find('.btn').val($(elm).data('value'));
$(elm).closest("ul").children("li").show(); $(elm).closest("ul").children("li").show();
$(elm).parent("li").hide(); $(elm).parent("li").hide();

View file

@ -3,9 +3,10 @@
$(function(){ $(function(){
$("nav").bind('nav-update', function(e,data){ $("nav").bind('nav-update', function(e,data){
var elm = $('#pending-update'); var elm = $('#pending-update');
var register = $(data).find('register').text(); var register = parseInt($(data).find('register').text());
if (register=="0") { register = ""; } if (register > 0) {
elm.html(register); elm.html(register);
}
}); });
}); });
</script> </script>

View file

@ -2,8 +2,8 @@
$(document).ready(function(){ $(document).ready(function(){
$('nav').bind('nav-update', function(e,data){ $('nav').bind('nav-update', function(e,data){
var notifCount = $(data).find('notif').attr('count'); var notifCount = $(data).find('notif').attr('count');
var intro = $(data).find('intro').text(); var intro = parseInt($(data).find('intro').text());
var mail = $(data).find('mail').text(); var mail = parseInt($(data).find('mail').text());
$(".tool .notify").removeClass("on"); $(".tool .notify").removeClass("on");
$(data).find("group").each(function() { $(data).find("group").each(function() {

View file

@ -86,7 +86,7 @@ function enableOnUser(){
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-perms-icon').removeClass('unlock').addClass('lock');
$('#jot-public').hide(); $('#jot-public').hide();
$('.profile-jot-net input').attr('disabled', 'disabled'); $('.profile-jot-net input').attr('disabled', 'disabled');

View file

@ -170,7 +170,7 @@
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
var selstr; var selstr;
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
selstr = $(this).text(); selstr = $(this).html();
$('#jot-public').hide(); $('#jot-public').hide();
}); });
if(selstr == null) { if(selstr == null) {