Escape any text sent by users (protection against cross-site scripting)(further bug...

git-svn-id: http://django-jqchat.googlecode.com/svn/trunk@13 8369a704-5b4a-11de-992f-fdd7e25b9163

diff --git a/jqchat/tests.py b/jqchat/tests.py
index 2b8e4e085ebaa61ec337b16b2c19b847a4ab1602..812df52725dc547895c03558f4fdb9244f4a2dd2 100644 (file)
--- a/jqchat/tests.py
+++ b/jqchat/tests.py
@@ -303,6 +303,16 @@ class DescriptionTest(TestCase):
         self.assert_(r.last_activity > 0, r.last_activity)
 
 
+    def test_XSS(self):
+        """Check that chat is protected against cross-site scripting (by disabling html tags)."""
+
+        response = self.client.post('/jqchat/room_with_description/2/ajax/', {'time': 0,
+                                                                            'action': 'change_description',
+                                                                            'description': '<script>alert("boo!");</script>'})
+        self.assert_(response.status_code == 200, response.status_code)
+        payload = simplejson.loads(response.content)
+        self.assert_(payload['description'] == '&lt;script&gt;alert(&quot;boo!&quot;);&lt;/script&gt;', payload)
+
 
 
 

diff --git a/jqchat/views.py b/jqchat/views.py
index bd72c4170b0b54e1a5c40928329d6047241de2db..1fb4c540188630d5a161644b7afb24043a0f8a94 100644 (file)
--- a/jqchat/views.py
+++ b/jqchat/views.py
@@ -164,7 +164,8 @@ class DescriptionAjax(Ajax):
         if self.request.method == "POST":
             action = self.request.POST['action']
             if action == 'change_description':
-                self.ThisRoom.description = self.request.POST['description']
+                # Note that we escape descriptions as a protection against XSS.
+                self.ThisRoom.description = escape(self.request.POST['description'])
                 self.ThisRoom.save()
                 Message.objects.create_event(self.request.user, self.ThisRoom, 1)
         # Is there a description more recent than the timestamp sent by the client?