[FIX] Fix XSS (#4560)

* [FIX] login xss * [FIX] Client Side Sanitization * moved from frappe to frappe.utils * added strategies * removed console.log * fixed codacy * XSS sanitization at login * moved to common js - xss_sanitize
2017-12-13 16:25:06 +05:30 · 2017-12-13 16:25:06 +05:30 · 61b2b25981
commit 61b2b25981
parent 4d4fb72315
3 changed files with 36 additions and 2 deletions
--- a/frappe/public/js/frappe/misc/common.js
+++ b/frappe/public/js/frappe/misc/common.js
@ -255,3 +255,36 @@ frappe.is_mobile = function() {
 	return $(document).width() < 768;
 }

+frappe.utils.xss_sanitise = function (string, options) {
+	// Reference - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
+	let sanitised = string; // un-sanitised string.
+	const DEFAULT_OPTIONS = {
+		strategies: ['html', 'js'] // use all strategies.
+	}
+	const HTML_ESCAPE_MAP = {
+		'&': '&amp',
+		'<': '&lt',
+		'>': '&gt',
+		'"': '&quot',
+		"'": '&#x27',
+		'/': '&#x2F'
+	};
+	const REGEX_SCRIPT     = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi; // used in jQuery 1.7.2 src/ajax.js Line 14
+	options          	   = Object.assign({ }, DEFAULT_OPTIONS, options); // don't deep copy, immutable beauty.
+	
+	// Rule 1
+	if ( options.strategies.includes('html') ) {
+		// By far, the best thing that has ever happened to JS - Object.keys
+		Object.keys(HTML_ESCAPE_MAP).map((char, escape) => {
+			const regex = new RegExp(char, "g");
+			sanitised = sanitised.replace(regex, escape);
+		});
+	}
+	
+	// Rule 3 - TODO: Check event handlers?
+	if ( options.strategies.includes('js') ) {
+		sanitised = sanitised.replace(REGEX_SCRIPT, "");
+	}
+
+	return sanitised;
+}
--- a/frappe/templates/includes/login/login.js
+++ b/frappe/templates/includes/login/login.js
@ -17,8 +17,8 @@ login.bind_events = function() {
 		event.preventDefault();
 		var args = {};
 		args.cmd = "login";
-		args.usr = ($("#login_email").val() || "").trim();
-		args.pwd = $("#login_password").val();
+		args.usr = frappe.utils.xss_sanitise(($("#login_email").val() || "").trim());
+		args.pwd = frappe.utils.xss_sanitise($("#login_password").val());
 		args.device = "desktop";
 		if(!args.usr || !args.pwd) {
 			frappe.msgprint("{{ _("Both login and password required") }}");
--- a/frappe/website/js/website.js
+++ b/frappe/website/js/website.js
@ -185,6 +185,7 @@ $.extend(frappe, {
 		if($.isArray(html)) {
 			html = html.join("<hr>")
 		}
+
 		return frappe.get_modal(title || "Message", html).modal("show");
 	},
 	send_message: function(opts, btn) {