From: richardbarran Date: Sun, 25 Oct 2009 23:14:57 +0000 (+0000) Subject: Escape any text sent by users (protection against cross-site scripting)(further bug... X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=dada3653ce13b8030864a672d78c437d95dff89d;p=django-jqchat.git Escape any text sent by users (protection against cross-site scripting)(further bug found). git-svn-id: http://django-jqchat.googlecode.com/svn/trunk@13 8369a704-5b4a-11de-992f-fdd7e25b9163 --- diff --git a/jqchat/tests.py b/jqchat/tests.py index 2b8e4e0..812df52 100644 --- a/jqchat/tests.py +++ b/jqchat/tests.py @@ -303,6 +303,16 @@ class DescriptionTest(TestCase): self.assert_(r.last_activity > 0, r.last_activity) + def test_XSS(self): + """Check that chat is protected against cross-site scripting (by disabling html tags).""" + + response = self.client.post('/jqchat/room_with_description/2/ajax/', {'time': 0, + 'action': 'change_description', + 'description': ''}) + self.assert_(response.status_code == 200, response.status_code) + payload = simplejson.loads(response.content) + self.assert_(payload['description'] == '<script>alert("boo!");</script>', payload) + diff --git a/jqchat/views.py b/jqchat/views.py index bd72c41..1fb4c54 100644 --- a/jqchat/views.py +++ b/jqchat/views.py @@ -164,7 +164,8 @@ class DescriptionAjax(Ajax): if self.request.method == "POST": action = self.request.POST['action'] if action == 'change_description': - self.ThisRoom.description = self.request.POST['description'] + # Note that we escape descriptions as a protection against XSS. + self.ThisRoom.description = escape(self.request.POST['description']) self.ThisRoom.save() Message.objects.create_event(self.request.user, self.ThisRoom, 1) # Is there a description more recent than the timestamp sent by the client?