Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
more xss vectors patched
  • Loading branch information
michelson committed Jan 14, 2022
1 parent 1990a7a commit bffa585
Show file tree
Hide file tree
Showing 9 changed files with 26 additions and 10 deletions.
3 changes: 3 additions & 0 deletions SECURITY.md
@@ -0,0 +1,3 @@
For security disclosures please contact me at [miguel at chaskiq.io]
thanks!

1 change: 1 addition & 0 deletions app/graphql/mutations/app_users/update_app_user.rb
Expand Up @@ -4,6 +4,7 @@ module Mutations
module AppUsers
class UpdateAppUser < Mutations::BaseMutation
field :app_user, Types::AppUserType, null: false
field :errors, Types::JsonType, null: true
argument :app_key, String, required: true
argument :options, Types::JsonType, required: true
argument :id, Integer, required: true
Expand Down
Expand Up @@ -8,7 +8,7 @@ import Dropdown from '../Dropdown';
import Button, { ButtonIndigo } from '../Button';
import { PredicateType } from './types';
import I18n from '../../../../../src/shared/FakeI18n';

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';
// import ClickAwayListener from '@material-ui/core/ClickAwayListener'

import defaultFields from '../../utils/defaultFields';
Expand Down Expand Up @@ -178,7 +178,7 @@ export class SaveSegmentModal extends Component<SaveSegmentModalType> {
className="ml-2"
dangerouslySetInnerHTML={{
__html: I18n.t('segment_manager.save_changes_to', {
name: this.props.segment.name,
name: escapeHTML(this.props.segment.name),
}),
}}
></span>
Expand Down
Expand Up @@ -3,6 +3,8 @@ import styled from '@emotion/styled';

import tw from 'twin.macro';

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';

export const Wrapper = styled.div`
top: 0px;
z-index: 999999;
Expand Down Expand Up @@ -37,7 +39,7 @@ export default function GDPRView({ confirm, cancel, i18n, app }) {
<Title>{i18n.t('messenger.gdpr_title')}</Title>
<TextContent
dangerouslySetInnerHTML={{
__html: i18n.t('messenger.gdpr', { name: app.name }),
__html: i18n.t('messenger.gdpr', { name: escapeHTML(app.name) }),
}}
></TextContent>

Expand Down
Expand Up @@ -2,6 +2,8 @@ import React, { Component } from 'react';
import { DefinitionRenderer } from '@chaskiq/components/src/components/packageBlocks/components';
import Button from '@chaskiq/components/src/components/Button';
import { toCamelCase } from '@chaskiq/components/src/utils/caseConverter';
import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';

import autolink from '../autolink';
import serialize from 'form-serialize';
import { isEmpty } from 'lodash';
Expand Down Expand Up @@ -196,7 +198,7 @@ export default class AppPackageBlock extends Component<
__html: this.props.i18n.t(
'messenger.conversation_block.choosen',
{
field: item.label,
field: escapeHTML(item.label),
}
),
}}
Expand Down
4 changes: 3 additions & 1 deletion app/javascript/src/layout/sidebar.tsx
Expand Up @@ -34,6 +34,8 @@ import {
ChartsIcons,
} from '@chaskiq/components/src/components/icons';

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';

import I18n from '../shared/FakeI18n';

import SidebarAgents from '../pages/conversations/SidebarAgents';
Expand Down Expand Up @@ -140,7 +142,7 @@ function Sidebar({
className="text-sm leading-5 text-gray-500 dark:text-gray-100 font-light"
dangerouslySetInnerHTML={{
__html: I18n.t('dashboard.hey', {
name: app.name,
name: escapeHTML(app.name),
}),
}}
/>
Expand Down
4 changes: 3 additions & 1 deletion app/javascript/src/pages/Dashboard.tsx
Expand Up @@ -11,6 +11,8 @@ import PageHeader from '@chaskiq/components/src/components/PageHeader';

import DashboardItem from './reports/ReportItem';

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';

import {
ConversationChatIcon,
CampaignsIcon,
Expand Down Expand Up @@ -123,7 +125,7 @@ function Dashboard(props) {
className="text-4xl leading-2 text-gray-900 dark:text-gray-100 font-bold"
dangerouslySetInnerHTML={{
__html: I18n.t('dashboard.hey', {
name: app.name,
name: escapeHTML(app.name),
}),
}}
/>
Expand Down
10 changes: 7 additions & 3 deletions app/javascript/src/pages/Profile.tsx
Expand Up @@ -25,7 +25,9 @@ import {
import graphql from '@chaskiq/store/src/graphql/client';

import DialogEditor from './conversations/DialogEditor';
import sanitizeHtml from '@chaskiq/components/src/utils/htmlSanitize';
import sanitizeHtml, {
escapeHTML,
} from '@chaskiq/components/src/utils/htmlSanitize';
//require('sanitize-html')

import { setCurrentSection } from '@chaskiq/store/src/actions/navigation';
Expand Down Expand Up @@ -515,8 +517,10 @@ class ProfilePage extends Component<ProfilePageProps, ProfilePageState> {
<div
className="text-sm text-gray-500 truncate"
dangerouslySetInnerHTML={{
__html: sanitizeHtml(
o.lastMessage.message.htmlContent
__html: escapeHTML(
sanitizeHtml(
o.lastMessage.message.htmlContent
)
).substring(0, 250),
}}
/>
Expand Down
2 changes: 1 addition & 1 deletion app/javascript/src/pages/campaigns/editor.tsx
Expand Up @@ -311,7 +311,7 @@ function Preview({ campaign, app }) {
{I18n.t('campaign.preview')}
</h3>
<div className="mt-2 text-sm leading-5 text-yellow-700">
<p>{I18n.t('campaign.preview_hint')}</p>
<p>{I18n.t('campaign.preview_hint', { name: '{{name}}' })}</p>
</div>
</div>
</div>
Expand Down

0 comments on commit bffa585

Please sign in to comment.