Escape user data from admin panel when calling JS

2024-06-01 08:00:50 +00:00 · 2019-02-17 15:22:27 +01:00 · 2019-02-17 15:22:27 +01:00 · d7eeaaf249
commit d7eeaaf249
parent a744b9437a
2 changed files with 34 additions and 5 deletions
--- a/src/config.rs
+++ b/src/config.rs
@ -423,7 +423,9 @@ fn load_templates(path: &str) -> Handlebars {
    let mut hb = Handlebars::new();
    // Error on missing params
    hb.set_strict_mode(true);
+    // Register helpers
    hb.register_helper("case", Box::new(CaseHelper));
+    hb.register_helper("jsesc", Box::new(JsEscapeHelper));

    macro_rules! reg {
        ($name:expr) => {{
@ -455,7 +457,6 @@ fn load_templates(path: &str) -> Handlebars {
    hb
 }

-#[derive(Clone, Copy)]
 pub struct CaseHelper;

 impl HelperDef for CaseHelper {
@ -479,3 +480,31 @@ impl HelperDef for CaseHelper {
        }
    }
 }
+
+pub struct JsEscapeHelper;
+
+impl HelperDef for JsEscapeHelper {
+    fn call<'reg: 'rc, 'rc>(
+        &self,
+        h: &Helper<'reg, 'rc>,
+        _: &'reg Handlebars,
+        _: &Context,
+        _: &mut RenderContext<'reg>,
+        out: &mut Output,
+    ) -> HelperResult {
+        let param = h
+            .param(0)
+            .ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
+
+        let value = param
+            .value()
+            .as_str()
+            .ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
+
+        let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
+        let quoted_value = format!("&quot;{}&quot;", escaped_value);
+
+        out.write(&quoted_value)?;
+        Ok(())
+    }
+}
--- a/src/static/templates/admin/page.hbs
+++ b/src/static/templates/admin/page.hbs
@ -27,8 +27,8 @@
                            </span>
                        </div>
                        <div style="flex: 0 0 240px;">
-                            <a class="mr-3" href="#" onclick='deauthUser("{{Id}}")'>Deauthorize sessions</a>
-                            <a class="mr-3" href="#" onclick='deleteUser("{{Id}}", "{{Email}}")'>Delete User</a>
+                            <a class="mr-3" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
+                            <a class="mr-3" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
                        </div>
                    </div>
                </div>
@ -101,7 +101,7 @@
                {{/if}}
                {{/each}}
                <button type="submit" class="btn btn-primary">Save</button>
-                <button type="button" class="btn btn-danger float-right" onclick="deleteConfig();">Reset defaults</button>
+                <button type="button" class="btn btn-danger float-right" onclick="deleteConf();">Reset defaults</button>
            </form>
        </div>
    </div>
@ -192,7 +192,7 @@
            "Error saving config", data);
        return false;
    }
-    function deleteConfig() {
+    function deleteConf() {
        var input = prompt("This will remove all user configurations, and restore the defaults and the " +
            "values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:");
        if (input === "DELETE") {