From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <michael.g.wood@intel.com>
Received: by yocto-www.yoctoproject.org (Postfix, from userid 118)
	id 6A6AAE00905; Tue, 11 Nov 2014 03:31:21 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	yocto-www.yoctoproject.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-HAM-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
	http://www.dnswl.org/, low *      trust
	*      [209.85.212.182 listed in list.dnswl.org]
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com
	[209.85.212.182])
	by yocto-www.yoctoproject.org (Postfix) with ESMTP id 81855E008B4
	for <toaster@yoctoproject.org>; Tue, 11 Nov 2014 03:31:17 -0800 (PST)
Received: by mail-wi0-f182.google.com with SMTP id d1so1293992wiv.9
	for <toaster@yoctoproject.org>; Tue, 11 Nov 2014 03:31:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
	:cc:subject:references:in-reply-to:content-type
	:content-transfer-encoding;
	bh=ofH56OniJKjH9rQ9/EKD2xIDNF8kgniNORu8aU/Q1FU=;
	b=mon4DjBpvsDCSK7vvH55bjXkk8bah+ktXjHvHtaLATLtSnTyG84IUWlu/b+o1LRzP0
	Y3AGJQ3Qjbwj99jySnn2QX/7BraOVlMJrhZbIzp3azUxfF49EVW/yV+AJnHCt7DPVGeH
	fOc0QAxwjmrHXJxPqk2noPex1SJ3RUQS5y3fmj65GT/mebq7ZwY5nqLLdycJAblDzQLx
	Eoua1D69qjHg9LHUm2uekSgah/9XfPl+Nlp8IGT9XpKihudr1to3HtY+Gt93HVhf2BHv
	ZRoVJllPiO0pSQAtUbBt7ETF0zJfT5wNRq72gqqA3g+1y7vfcaXTrK4QGD1RtLel7msr
	XInQ==
X-Gm-Message-State: ALoCoQkrjqBdhG0BjfoaZVloTr0f4vv4hXpx9AlLRTd4iKcJ6f91apIDB1AvM/BSfZqhjxAL6py8
X-Received: by 10.195.12.45 with SMTP id en13mr52386148wjd.8.1415705476643;
	Tue, 11 Nov 2014 03:31:16 -0800 (PST)
Received: from [192.168.2.117] ([83.217.123.106])
	by mx.google.com with ESMTPSA id r6sm20858847wif.0.2014.11.11.03.31.16
	for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 11 Nov 2014 03:31:16 -0800 (PST)
Message-ID: <5461F383.1070402@intel.com>
Date: Tue, 11 Nov 2014 11:31:15 +0000
From: Michael Wood <michael.g.wood@intel.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "Damian, Alexandru" <alexandru.damian@intel.com>
References: <1415290298-4049-1-git-send-email-michael.g.wood@intel.com>
	<CAJ2CSBt6n3yMy2wTn8Src3vvP3cY1pr5mqHi+LhO1gjB847Weg@mail.gmail.com>
In-Reply-To: <CAJ2CSBt6n3yMy2wTn8Src3vvP3cY1pr5mqHi+LhO1gjB847Weg@mail.gmail.com>
Cc: "toaster@yoctoproject.org" <toaster@yoctoproject.org>
Subject: Re: [review-request][PATCH] bitbake: toaster: project use escapejs filter to avoid tag interpretation
X-BeenThere: toaster@yoctoproject.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Web based interface for BitBake <toaster.yoctoproject.org>
List-Unsubscribe: <https://lists.yoctoproject.org/options/toaster>,
	<mailto:toaster-request@yoctoproject.org?subject=unsubscribe>
List-Archive: <http://lists.yoctoproject.org/pipermail/toaster>
List-Post: <mailto:toaster@yoctoproject.org>
List-Help: <mailto:toaster-request@yoctoproject.org?subject=help>
List-Subscribe: <https://lists.yoctoproject.org/listinfo/toaster>,
	<mailto:toaster-request@yoctoproject.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 11:31:21 -0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Valid json can contain unescaped markup tags which will break the 
javascript e.g. if you put your project name to "</script><h2>Hi mum<!-- 
or worse some javascript --></h2>" the project page will interpret that.

http://jsfiddle.net/uLpecL5o/

The escapejs filter will escape all the correct characters the resulting 
string of the json can then be safely parsed by the browser.
If we want to use |safe we really need to be sure that data is safe, 
which may mean that instead we sanitise it before storing it.

Oops yes too long working with jinja2 which is based on django got 
confused there!

Michael

On 07/11/14 16:52, Damian, Alexandru wrote:
> Hi,
>
> Hi, this is a good point you raise here - there are some aspects that 
> need considering, though -
>
>     the data coming in this page (e.g. prj, builds, etc..) is already 
> coming as JSON, the conversion is done in the view. Here we mark the 
> value as not needing any further escape (through the safe filter) 
> because we know it's already a valid json string.
>
> json is already valid javascript code, so we don't need to parse it 
> manually, the browser will interpret it as such.
>
> btw, we're not using jinja2 templating engine, we use the built-in 
> django templating engine :)
>
>
> Cheers,
> Alex
>
>
>
> On Thu, Nov 6, 2014 at 4:11 PM, Michael Wood <michael.g.wood@intel.com 
> <mailto:michael.g.wood@intel.com>> wrote:
>
>     When passing the data from the jinja2 template to javascript make sure
>     we escape and parse the JSON to avoid any invalid values being
>     interpreted.
>
>     Signed-off-by: Michael Wood <michael.g.wood@intel.com
>     <mailto:michael.g.wood@intel.com>>
>     ---
>      bitbake/lib/toaster/toastergui/templates/project.html | 14
>     +++++++-------
>      1 file changed, 7 insertions(+), 7 deletions(-)
>
>     diff --git a/bitbake/lib/toaster/toastergui/templates/project.html
>     b/bitbake/lib/toaster/toastergui/templates/project.html
>     index 6a81283..00fb2b4 100644
>     --- a/bitbake/lib/toaster/toastergui/templates/project.html
>     +++ b/bitbake/lib/toaster/toastergui/templates/project.html
>     @@ -335,13 +335,13 @@ angular.element(document).ready(function() {
>        scope.urls.layers = "{% url 'layers' %}";
>        scope.urls.targets = "{% url 'targets' %}";
>        scope.urls.importlayer = "{% url 'importlayer'%}"
>     -  scope.project = {{prj|safe}};
>     -  scope.builds = {{builds|safe}};
>     -  scope.layers = {{layers|safe}};
>     -  scope.targets = {{targets|safe}};
>     -  scope.frequenttargets = {{freqtargets|safe}};
>     -  scope.machine = {{machine|safe}};
>     -  scope.releases = {{releases|safe}};
>     +  scope.project = JSON.parse ("{{prj|escapejs}}");
>     +  scope.builds = JSON.parse ("{{builds|escapejs}}");
>     +  scope.layers = JSON.parse ("{{layers|escapejs}}");
>     +  scope.targets = JSON.parse ("{{targets|escapejs}}");
>     +  scope.frequenttargets = JSON.parse ("{{freqtargets|escapejs}}");
>     +  scope.machine = JSON.parse ("{{machine|escapejs}}");
>     +  scope.releases = JSON.parse ("{{releases|escapejs}}");
>
>        scope.zone1alerts = [];
>        scope.zone2alerts = [];
>     --
>     1.9.1
>
>     --
>     _______________________________________________
>     toaster mailing list
>     toaster@yoctoproject.org <mailto:toaster@yoctoproject.org>
>     https://lists.yoctoproject.org/listinfo/toaster
>
>
>
>
> -- 
> Alex Damian
> Yocto Project
> SSG / OTC
>
> ---------------------------------------------------------------------
> Intel Corporation (UK) Limited
> Registered No. 1134945 (England)
> Registered Office: Pipers Way, Swindon SN3 1RJ
> VAT No: 860 2173 47
>
> This e-mail and any attachments may contain confidential material for
> the sole use of the intended recipient(s). Any review or distribution
> by others is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
>