Escape any text sent by users (protection against cross-site scripting).

author richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>

Mon, 19 Oct 2009 20:27:39 +0000 (20:27 +0000)

committer richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>

Mon, 19 Oct 2009 20:27:39 +0000 (20:27 +0000)
author richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>
Mon, 19 Oct 2009 20:27:39 +0000 (20:27 +0000)
committer richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>
Mon, 19 Oct 2009 20:27:39 +0000 (20:27 +0000)
diff --git a/jqchat/tests.py b/jqchat/tests.py

index 11e081bf2942d1cc211ba014f277afa6c73a1610..2b8e4e085ebaa61ec337b16b2c19b847a4ab1602 100644 (file)
--- a/jqchat/tests.py
+++ b/jqchat/tests.py
@@ -201,6 +201,20 @@ class AJAXPostTest(TestCase):
          # No messages added to the 4 already defined.
          self.assert_(len(messages) == 4)
  
+    def test_XSS(self):
+        """Check that chat is protected against cross-site scripting (by disabling html tags)."""
+
+        response = self.client.post('/jqchat/room/1/ajax/', {'time': 0,
+                                                         'action': 'postmsg',
+                                                         'message': '<script>alert("boo!");</script>'})
+        self.assert_(response.status_code == 200, response.status_code)
+
+        payload = simplejson.loads(response.content)
+        messages = payload['messages']
+        self.assert_('&lt;script&gt;' in messages[-1]['text'])
+        self.assert_('<script>' not in messages[-1]['text'])
+
+
  class EventTest(TestCase):
      """Create new events in the room."""
  
diff --git a/jqchat/views.py b/jqchat/views.py

index 148f086ed94ada091f91f038ae2b83657f30728e..bd72c4170b0b54e1a5c40928329d6047241de2db 100644 (file)
--- a/jqchat/views.py
+++ b/jqchat/views.py
@@ -3,6 +3,7 @@ from django.shortcuts import render_to_response, get_object_or_404
  from django.template import RequestContext
  from django.conf import settings
  from django.contrib.auth.decorators import login_required
+from django.utils.html import escape
  
  from models import Room, Message
  
@@ -93,7 +94,7 @@ class Ajax(object):
                      msg_text = self.request.POST['message']
          
                      if len(msg_text.strip()) > 0: # Ignore empty strings.
-                        Message.objects.create_message(self.request.user, self.ThisRoom, msg_text)
+                        Message.objects.create_message(self.request.user, self.ThisRoom, escape(msg_text))
              else:
                  # If a GET, make sure that no action was specified.
                  if self.request.GET.get('action', None):
author	richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>
	Mon, 19 Oct 2009 20:27:39 +0000 (20:27 +0000)
committer	richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>
	Mon, 19 Oct 2009 20:27:39 +0000 (20:27 +0000)
jqchat/tests.py		patch \| blob \| history
jqchat/views.py		patch \| blob \| history