From: richardbarran <richardbarran@8369a704-5b4a-11de-992f-fdd7e25b9163>
Date: Mon, 19 Oct 2009 20:27:39 +0000 (+0000)
Subject: Escape any text sent by users (protection against cross-site scripting).
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=1c30951575e673a9714b519f4a2f89f261a57120;p=django-jqchat.git

Escape any text sent by users (protection against cross-site scripting).

git-svn-id: http://django-jqchat.googlecode.com/svn/trunk@12 8369a704-5b4a-11de-992f-fdd7e25b9163
---

diff --git a/jqchat/tests.py b/jqchat/tests.py
index 11e081b..2b8e4e0 100644
--- a/jqchat/tests.py
+++ b/jqchat/tests.py
@@ -201,6 +201,20 @@ class AJAXPostTest(TestCase):
         # No messages added to the 4 already defined.
         self.assert_(len(messages) == 4)
 
+    def test_XSS(self):
+        """Check that chat is protected against cross-site scripting (by disabling html tags)."""
+
+        response = self.client.post('/jqchat/room/1/ajax/', {'time': 0,
+                                                         'action': 'postmsg',
+                                                         'message': '<script>alert("boo!");</script>'})
+        self.assert_(response.status_code == 200, response.status_code)
+
+        payload = simplejson.loads(response.content)
+        messages = payload['messages']
+        self.assert_('&lt;script&gt;' in messages[-1]['text'])
+        self.assert_('<script>' not in messages[-1]['text'])
+
+
 class EventTest(TestCase):
     """Create new events in the room."""
 
diff --git a/jqchat/views.py b/jqchat/views.py
index 148f086..bd72c41 100644
--- a/jqchat/views.py
+++ b/jqchat/views.py
@@ -3,6 +3,7 @@ from django.shortcuts import render_to_response, get_object_or_404
 from django.template import RequestContext
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
+from django.utils.html import escape
 
 from models import Room, Message
 
@@ -93,7 +94,7 @@ class Ajax(object):
                     msg_text = self.request.POST['message']
         
                     if len(msg_text.strip()) > 0: # Ignore empty strings.
-                        Message.objects.create_message(self.request.user, self.ThisRoom, msg_text)
+                        Message.objects.create_message(self.request.user, self.ThisRoom, escape(msg_text))
             else:
                 # If a GET, make sure that no action was specified.
                 if self.request.GET.get('action', None):