From dada3653ce13b8030864a672d78c437d95dff89d Mon Sep 17 00:00:00 2001 From: richardbarran Date: Sun, 25 Oct 2009 23:14:57 +0000 Subject: [PATCH] Escape any text sent by users (protection against cross-site scripting)(further bug found). git-svn-id: http://django-jqchat.googlecode.com/svn/trunk@13 8369a704-5b4a-11de-992f-fdd7e25b9163 --- jqchat/tests.py | 10 ++++++++++ jqchat/views.py | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/jqchat/tests.py b/jqchat/tests.py index 2b8e4e0..812df52 100644 --- a/jqchat/tests.py +++ b/jqchat/tests.py @@ -303,6 +303,16 @@ class DescriptionTest(TestCase): self.assert_(r.last_activity > 0, r.last_activity) + def test_XSS(self): + """Check that chat is protected against cross-site scripting (by disabling html tags).""" + + response = self.client.post('/jqchat/room_with_description/2/ajax/', {'time': 0, + 'action': 'change_description', + 'description': ''}) + self.assert_(response.status_code == 200, response.status_code) + payload = simplejson.loads(response.content) + self.assert_(payload['description'] == '<script>alert("boo!");</script>', payload) + diff --git a/jqchat/views.py b/jqchat/views.py index bd72c41..1fb4c54 100644 --- a/jqchat/views.py +++ b/jqchat/views.py @@ -164,7 +164,8 @@ class DescriptionAjax(Ajax): if self.request.method == "POST": action = self.request.POST['action'] if action == 'change_description': - self.ThisRoom.description = self.request.POST['description'] + # Note that we escape descriptions as a protection against XSS. + self.ThisRoom.description = escape(self.request.POST['description']) self.ThisRoom.save() Message.objects.create_event(self.request.user, self.ThisRoom, 1) # Is there a description more recent than the timestamp sent by the client? -- 2.39.5