From d7eeaaf24952bc893ef6209d428c8d9b775b618b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Sun, 17 Feb 2019 15:22:27 +0100 Subject: [PATCH] Escape user data from admin panel when calling JS --- src/config.rs | 31 ++++++++++++++++++++++++++++- src/static/templates/admin/page.hbs | 8 ++++---- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/src/config.rs b/src/config.rs index d2aaf033..f49e8cc6 100644 --- a/src/config.rs +++ b/src/config.rs @@ -423,7 +423,9 @@ fn load_templates(path: &str) -> Handlebars { let mut hb = Handlebars::new(); // Error on missing params hb.set_strict_mode(true); + // Register helpers hb.register_helper("case", Box::new(CaseHelper)); + hb.register_helper("jsesc", Box::new(JsEscapeHelper)); macro_rules! reg { ($name:expr) => {{ @@ -455,7 +457,6 @@ fn load_templates(path: &str) -> Handlebars { hb } -#[derive(Clone, Copy)] pub struct CaseHelper; impl HelperDef for CaseHelper { @@ -479,3 +480,31 @@ impl HelperDef for CaseHelper { } } } + +pub struct JsEscapeHelper; + +impl HelperDef for JsEscapeHelper { + fn call<'reg: 'rc, 'rc>( + &self, + h: &Helper<'reg, 'rc>, + _: &'reg Handlebars, + _: &Context, + _: &mut RenderContext<'reg>, + out: &mut Output, + ) -> HelperResult { + let param = h + .param(0) + .ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?; + + let value = param + .value() + .as_str() + .ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?; + + let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27"); + let quoted_value = format!(""{}"", escaped_value); + + out.write("ed_value)?; + Ok(()) + } +} diff --git a/src/static/templates/admin/page.hbs b/src/static/templates/admin/page.hbs index fc948884..63916873 100644 --- a/src/static/templates/admin/page.hbs +++ b/src/static/templates/admin/page.hbs @@ -27,8 +27,8 @@
- Deauthorize sessions - Delete User + Deauthorize sessions + Delete User
@@ -101,7 +101,7 @@ {{/if}} {{/each}} - + @@ -192,7 +192,7 @@ "Error saving config", data); return false; } - function deleteConfig() { + function deleteConf() { var input = prompt("This will remove all user configurations, and restore the defaults and the " + "values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:"); if (input === "DELETE") {