recalapp / recal

First a COS 333 project, now a very popular tool at Princeton for course selection
http://recal.io
MIT License
12 stars 3 forks source link

XSS bug in event description #225

Closed maximz closed 10 years ago

maximz commented 10 years ago

Put <a href="javascript: alert('hi')"> in the event description. This renders as a link for all users that when you click it, it displays a popup. That's XSS.

Here's what we get from /get/0:

"events": [
    {
      "section_color": "#8441A5",
      "event_id": 55492,
      "event_description": "<a href=\"javascript:alert('hi');\">My project page<\/a>\n\nhttp:\/\/www.cs.princeton.edu\/courses\/archive\/spring14\/cos333\/proj5.html\n\n(He also says we ought to read http:\/\/www.cs.princeton.edu\/courses\/archive\/spring14\/cos333\/proj3b.html, but the former link supercedes the latter.)",
      "event_start": "1400014859",
      "revision_id": 55499,
      "event_location": "Event location",
      "modified_user": "maximz",
      "section_id": 1067,
      "course_id": 297,
      "event_group_id": 2760,
      "event_type": "EX",
      "event_end": "1400018459",
      "event_title": "Final Report!",
      "modified_time": "1399822260"
    }
]

We ought to have escaped HTML tags server-side.

maximz commented 10 years ago

Fixed in #221