Bug 564512 - XSS vulnerability in Babel translate page
Change-Id: I1e1826f6db191a70c8d25af21a939b4e4888ab09
Signed-off-by: Kit Lo <kitlo@us.ibm.com>
diff --git a/html/callback/getCurrentStringTranslation.php b/html/callback/getCurrentStringTranslation.php
index 09a4b01..197e629 100644
--- a/html/callback/getCurrentStringTranslation.php
+++ b/html/callback/getCurrentStringTranslation.php
@@ -1,6 +1,6 @@
<?php
/*******************************************************************************
- * Copyright (c) 2007-2018 Eclipse Foundation and others.
+ * Copyright (c) 2007-2020 Eclipse Foundation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -10,6 +10,7 @@
* Paul Colton (Aptana)- initial API and implementation
* Eclipse Foundation
* Kit Lo (IBM) - [281434] Syncup overuses the "possibly incorrect" flag
+ * Andrew Johnson (IBM) - [564512] Escape HTML for hints
*******************************************************************************/
require_once("cb_global.php");
@@ -125,7 +126,7 @@
<h4 id="translation-hints-title">Translation Hints [<a id="clear-btn" href="javascript:clearHints();">Clear</a>]</h4>
<div id="translation-hints" style='overflow-x: hidden; overflow-y: auto; height: 75px;'>
<b>Select some English text above to find similar translations</b><?php
- # offer up some hints is the string is not translated
+ # offer up some hints if the string is not translated
if($line['translation_value'] == "") {
$q_th = "SELECT DISTINCT t.value
FROM translations as t
@@ -139,7 +140,7 @@
if(mysqli_affected_rows($dbh) > 0) {
echo "<b>, or use from the following:</b><ul>";
while($translation_hints = mysqli_fetch_array($res_th, MYSQLI_ASSOC)){
- echo "<li>", $translation_hints['value'], "</li>";
+ echo "<li>", nl2br(htmlspecialchars($translation_hints['value'])), "</li>";
}
echo "</ul>";
}
@@ -195,7 +196,7 @@
print "<div>".nl2br(htmlspecialchars($line['value']))."</div>";
print "</td>";
print "<td width='20%'>";
- print $line['first_name']." ".$line['last_name'];
+ print htmlspecialchars($line['first_name'])." ".htmlspecialchars($line['last_name']);
print "</td>";
print "<td width='40%'>";
print $line['created_on'];
diff --git a/html/callback/getTranslationHints.php b/html/callback/getTranslationHints.php
index 5e2e000..8e259d0 100644
--- a/html/callback/getTranslationHints.php
+++ b/html/callback/getTranslationHints.php
@@ -1,6 +1,6 @@
<?php
/*******************************************************************************
- * Copyright (c) 2008-2019 Eclipse Foundation and others.
+ * Copyright (c) 2008-2020 Eclipse Foundation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -9,6 +9,7 @@
* Contributors:
* Eclipse Foundation - initial API and implementation
* Satoru Yoshida - [470120] it is nice if translation hint will prefer front match.
+ * Andrew Johnson (IBM) - [564512] Escape HTML for hints
*******************************************************************************/
require_once("cb_global.php");
@@ -42,7 +43,7 @@
if(mysqli_affected_rows($dbh) > 0) {
echo "<ul>";
while($line = mysqli_fetch_array($res, MYSQLI_ASSOC)){
- echo "<li>", $line['value'], "</li>";
+ echo "<li>", nl2br(htmlspecialchars($line['value'])), "</li>";
}
echo "</ul>";
}
@@ -64,7 +65,7 @@
if(mysqli_affected_rows($dbh) > 0) {
echo "<ul>";
while($line = mysqli_fetch_array($res, MYSQLI_ASSOC)){
- echo "<li>", $line['value'], "</li>";
+ echo "<li>", nl2br(htmlspecialchars($line['value'])), "</li>";
}
echo "</ul>";
}
diff --git a/html/callback/setStringNonTranslatable.php b/html/callback/setStringNonTranslatable.php
index a45a1f2..adc19db 100644
--- a/html/callback/setStringNonTranslatable.php
+++ b/html/callback/setStringNonTranslatable.php
@@ -1,4 +1,15 @@
<?php
+/*******************************************************************************
+ * Copyright (c) 2008-2020 Eclipse Foundation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Eclipse Foundation - initial API and implementation
+ * Andrew Johnson (IBM) - [564512] Escape HTML
+*******************************************************************************/
require_once("cb_global.php");
$string_id = getHTTPParameter("string_id", "POST");
@@ -47,5 +58,5 @@
$message = "'".$row['value']."' has been marked as translatable in ".$updated_rows." file(s).";
}
-print "<br><br><br><center><b>$message</b></center>";
+print "<br><br><br><center><b>".nl2br(htmlspecialchars($message))."</b></center>";
?>
\ No newline at end of file
diff --git a/html/js/global.js b/html/js/global.js
index b252132..7d8b2c5 100644
--- a/html/js/global.js
+++ b/html/js/global.js
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2007-2019 Eclipse Foundation and others.
+ * Copyright (c) 2007-2020 Eclipse Foundation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -9,6 +9,7 @@
* Paul Colton (Aptana)- initial API and implementation
* Eclipse Foundation
* Denis Roy (Eclipse Foundation) - Bug 550544 - Babel server is not ready for PHP 7
+ * Andrew Johnson (IBM) - Bug 564512 - Escape HTML for hints
*******************************************************************************/
YAHOO.widget.Logger.enableBrowserConsole();
@@ -111,6 +112,11 @@
YAHOO.util.Event.onDOMReady(setupFilesOrder);
+function escapeHTML(str1) {
+ var el = document.createElement('div');
+ el.innerText = str1;
+ return el.innerHTML;
+}
function catchSelection() {
var sel = "";
@@ -128,7 +134,7 @@
if(document.getElementById('translation-hints') && !document.getElementById('translation-hints').innerHTML.includes("or use from the following:") ) {
var domNode = document.getElementById('translation-hints');
- domNode.innerHTML = "Please wait, looking for : <b>" + sel + "</b>";
+ domNode.innerHTML = "Please wait, looking for : <b>" + escapeHTML(sel) + "</b>";
showTranslationHints(sel);
}
if(document.getElementById('translation-hints') && document.getElementById('translation-hints').innerHTML.includes("or use from the following:") ) {
