Skip to content

Commit

Permalink
Merge pull request #5688 from mul53/fix/escape-html
Browse files Browse the repository at this point in the history 
Fix XSS: Escape temp vars
  • Loading branch information
@thelostone-mc
thelostone-mc authored Jan 2, 2020
2 parents 1257156 + 3571bec commit 4a93848
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 62 deletions.
84 changes: 42 additions & 42 deletions app/dashboard/templates/bounty/details.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,15 +260,15 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
</div>

<script id="action" type="text/x-jsrender">
<span [[if id]] id="[[:id]]" [[if id == 'submit']] [[if !work_started]] class="none" [[/if]] [[/if]] [[/if]]
title='<div class="tooltip-info tooltip-sm">[[:title]]</div>'>
<span [[if id]] id="[[>id]]" [[if id == 'submit']] [[if !work_started]] class="none" [[/if]] [[/if]] [[/if]]
title='<div class="tooltip-info tooltip-sm">[[>title]]</div>'>
[[if pending_acceptance]]
<a class="button button--primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[:href]]" target="[[:target]]">
<span class="font-caption">[[:text]] ( [[:pending_acceptance]] )</span>
<a class="button button--primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[>href]]" target="[[>target]]">
<span class="font-caption">[[>text]] ( [[>pending_acceptance]] )</span>
</a>
[[else]]
<a class="button [[if primary]]button--primary[[else]]button--secondary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[:buttonclass]]" role="button" href="[[:href]]" target="[[:target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<span class="font-caption">[[:text]]</span>
<a class="button [[if primary]]button--primary[[else]]button--secondary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[>buttonclass]]" role="button" href="[[>href]]" target="[[>target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<span class="font-caption">[[>text]]</span>
</a>
[[/if]]
</span>
Expand All @@ -278,14 +278,14 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
[[if activity_type != 'unknown_event']]
<div class="row box activity">
<div class="col-12 col-md-1">
<div class="activity-avatar bounty_row user-popover" data-username="[[:name]]" data-html="true" data-toggle="popover" data-container="body">
<img class="avatar" src="/dynamic/avatar/[[:name]]" alt="Avatar"/>
<div class="activity-avatar bounty_row user-popover" data-username="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
<img class="avatar" src="/dynamic/avatar/[[>name]]" alt="Avatar"/>
</div>
</div>
<div class="col-12 col-md-2">
<div class="activity-name text-center text-md-left">
<a href="/profile/[[:name]]" target="_blank" data-username="[[:name]]" data-html="true" data-toggle="popover" data-container="body">
[[:name]]
<a href="/profile/[[>name]]" target="_blank" data-username="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
[[>name]]
</a>
</div>
</div>
Expand All @@ -294,71 +294,71 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>

<div class="col-12 col-md-7">
<div class="activity-tags activity-tag-first align-items-center text-center text-md-left">
[[:text]]
[[>text]]
( <div class="tag token">
<p>
<span>[[:tip.amount]] [[:tip.token]]</span>
<span>[[>tip.amount]] [[>tip.token]]</span>
</p>
</div> )
to
<a href="/profile/[[:tip.to]]">[[:tip.to]]</a>
<a href="/profile/[[>tip.to]]">[[>tip.to]]</a>
</div>
</div>

[[else activity_type == 'work_done']]
<div class="col-12 col-md-7 fulfilled text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
<i class="far fa-check-circle"></i>
</div>
[[if fulfiller_address]]
<div>
<span class="bounty-subheading">{% trans "ETH Address" %} :</span>
<span class="bounty-text">
<a href="https://etherscan.io/address/[[:fulfiller_address]]" target="_blank" rel="noopener noreferrer">[[:fulfiller_address]]</a>
<a href="https://etherscan.io/address/[[>fulfiller_address]]" target="_blank" rel="noopener noreferrer">[[>fulfiller_address]]</a>
</span>
</div>
[[/if]]
[[if fulfiller_email]]
<div>
<span class="bounty-subheading">{% trans "Email" %} :</span>
<span class="bounty-text">
<a href="mailto:[[:fulfiller_email]]">[[:fulfiller_email]]</a>
<a href="mailto:[[>fulfiller_email]]">[[>fulfiller_email]]</a>
</span>
</div>
[[/if]]
[[if fulfillment_id]]
<div>
<span class="bounty-subheading">{% trans "Submission Id" %} :</span>
<span class="bounty-text">[[:fulfillment_id]]</span>
<span class="bounty-text">[[>fulfillment_id]]</span>
</div>
[[/if]]
</div>
[[else activity_type == 'start_work' || activity_type == 'worker_approved' || activity_type == 'bounty_abandonment_warning' || activity_type == 'worker_applied']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
[[if activity_type == 'worker_approved']]
<a href="/profile/[[:worker_handle]]" target="_blank">
[[:worker_handle]]
<a href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a> to work on the bounty
[[/if]]
[[if signed_nda]]
<a href="[[:signed_nda.signed_nda.doc]]" download class="d-flex">View signed NDA</a>
<a href="[[>signed_nda.signed_nda.doc]]" download class="d-flex">View signed NDA</a>
[[/if]]
</div>
[[if can_approve_worker ]]
<div class="stop-work-container">
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Reject worker</div>">
<a class="button button--primary" href="[[:reject_worker_url]]">
<a class="button button--primary" href="[[>reject_worker_url]]">
<span class="font-smaller-4">{% trans "Reject worker" %}</span>
</a>
</span>
</div>
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Approve worker</div>">
<a class="button button--primary" href="[[:approve_worker_url]]">
<a class="button button--primary" href="[[>approve_worker_url]]">
<span class="font-smaller-4">{% trans "Approve worker" %}</span>
</a>
</span>
Expand All @@ -368,15 +368,15 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="stop-work-container">
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty</div>">
<a id="remove-[[:name]]" class="button button--primary" role="button" href="remove-handle">
<a id="remove-[[>name]]" class="button button--primary" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work" %}</span>
</a>
</span>
</div>
[[if slash_possible]]
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty and ding rep</div>">
<a id="remove-slash-[[:name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<a id="remove-slash-[[>name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work + Ding Rep" %}</span>
</a>
</span>
Expand All @@ -388,32 +388,32 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
[[else activity_type == 'worker_rejected']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
<a href="/profile/[[:worker_handle]]" target="_blank">
[[:worker_handle]]
[[>text]]
<a href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a>
</div>
</div>
[[else activity_type == 'work_submitted']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
[[if fulfiller_github_url]]
<a target="_blank" href="[[:fulfiller_github_url]]">[{% trans "View Work" %}]</a>
<a target="_blank" href="[[>fulfiller_github_url]]">[{% trans "View Work" %}]</a>
[[/if]]
</div>
[[if slash_possible]]
<div class="stop-work-container">
<div class="stop-work">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty</div>">
<a id="remove-[[:name]]" class="button button--primary" role="button" href="remove-handle">
<a id="remove-[[>name]]" class="button button--primary" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work" %}</span>
</a>
</span>
</div>
<div class="stop-work">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty and ding rep</div>">
<a id="remove-slash-[[:name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<a id="remove-slash-[[>name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work + Ding Rep" %}</span>
</a>
</span>
Expand All @@ -424,53 +424,53 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
[[else activity_type == 'increased_bounty']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-tags activity-tag-first align-items-center">
[[:text]]
[[>text]]
from
<div class="tag token">
<p>
<span>[[:value_in_token_old]] [[:token_name]]</span>
<span>[[>value_in_token_old]] [[>token_name]]</span>
</p>
</div>
to
<div class="tag token">
<p>
<span>[[:value_in_token_new]] [[:token_name]]</span>
<span>[[>value_in_token_new]] [[>token_name]]</span>
</p>
</div>
</div>
</div>
[[else activity_type == 'new_crowdfund']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-tags activity-tag-first align-items-center">
[[:text]]
[[>text]]
( <div class="tag token">
<p>
<span>[[:crowdfund.amount]] [[:crowdfund.token]]</span>
<span>[[>crowdfund.amount]] [[>crowdfund.token]]</span>
</p>
</div> )
</div>
</div>
[[else activity_type == 'new_kudos']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status activity-tag-first align-items-center d-flex justify-content-between">
<span>New Kudos sent to <a href="/profile/[[:to_username]]">[[:to_username]]</a></span>
<img width="60px" height="60px" class="activity-kudos text-center text-md-left" src="/static/[[:kudos]]" alt="Kudos">
<span>New Kudos sent to <a href="/profile/[[>to_username]]">[[>to_username]]</a></span>
<img width="60px" height="60px" class="activity-kudos text-center text-md-left" src="/static/[[>kudos]]" alt="Kudos">
</div>
</div>
[[else]]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
</div>
</div>
[[/if]]
<div class="col-12 col-md-2 text-center text-md-left">
<div class="activity-time">[[:age]]</div>
<div class="activity-time">[[>age]]</div>
</div>
[[if issue_message && activity_type == 'worker_applied' || issue_message && permission_type == 'permissionless' && activity_type == 'start_work' ]]
<div class="bg-lightblue py-3 px-4 rounded mt-3 mb-0 w-100 overflow-auto" style="max-height: 8rem;">
<p class="font-weight-bold mb-2">Work Plan</p>
<p class="mb-0">[[:issue_message.issue_message]]</p>
<p class="mb-0">[[>issue_message.issue_message]]</p>
</div>
[[/if]]
</div>
Expand Down
10 changes: 5 additions & 5 deletions app/retail/templates/shared/featured_bounty_cards.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@
<!-- JSRender stuff -->
<script id="featured-card" type="text/x-jsrender">
<div class="bounty-card">
<img src="[[:avatar_url]]" alt="" width="56" height="56" class="bounty-card__avatar rounded-circle">
<img src="[[>avatar_url]]" alt="" width="56" height="56" class="bounty-card__avatar rounded-circle">
<div class="">
<p class="bounty-card__title">[[:title]]</p>
<p class="bounty-card__title">[[>title]]</p>
<div class="d-flex">
<div class="tag token">[[:rounded_amount]] <span>[[:token_name]]</span></div>
<div class="tag usd">[[:value_in_usdt]] <span>USD</span></div>
<div class="tag token">[[>rounded_amount]] <span>[[>token_name]]</span></div>
<div class="tag usd">[[>value_in_usdt]] <span>USD</span></div>
</div>
<a href="[[:url]]" class="bounty-card__link">View Bounty</a>
<a href="[[>url]]" class="bounty-card__link">View Bounty</a>
</div>
</div>
</script>
30 changes: 15 additions & 15 deletions app/retail/templates/shared/result.html
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{% load static i18n %}
<!-- JSRender stuff -->
<script id="result" type="text/x-jsrender">
<a class="result bounty_row [[if hidden]]bounty_row--hidden[[/if]] [[:network]] i[[:standard_bounties_id]]" href="[[:action]]" data-container="body" data-toggle="popover" data-content='{% include "shared/bounty-popover.html" %}'>
<a class="result bounty_row [[if hidden]]bounty_row--hidden[[/if]] [[>network]] i[[>standard_bounties_id]]" href="[[>action]]" data-container="body" data-toggle="popover" data-content='{% include "shared/bounty-popover.html" %}'>
[[if avatar_url]]
<div class="avatar-container col-1 justify-content-center hide_min_viewport">
<img src='[[:avatar_url]]' class='avatar [[:github_org_name]]'>
<img src='[[>avatar_url]]' class='avatar [[>github_org_name]]'>
</div>
[[else]]
<div class="avatar-container col-1 justify-content-center">
<div class="experience [[:experience_level]]">&nbsp;</div>
<div class="experience [[>experience_level]]">&nbsp;</div>
</div>
[[/if]]
<div class="col-12 col-md-8 d-flex flex-column">
Expand All @@ -17,14 +17,14 @@
<div class="hiring-alt">HIRING <i class="fa-flag far"></i></div>
[[/if]]
<div class="title font-subheader">
[[:title]]
[[>title]]
[[if event != null && event != '']]
<div class="hackathon-alt">[[:event.name]]</div>
<div class="hackathon-alt">[[>event.name]]</div>
[[/if]]
</div>
<div class="bounty-summary col-12">
<div class="info font-caption">
<span class="status-[[:status]]">
<span class="status-[[>status]]">
<i class="g-icon g-icon__dot-circle"></i>
[[if status === "open"]]
{% trans "Ready to work" %}
Expand All @@ -45,10 +45,10 @@
<span class="separator-bull"></span>
[[:p]]
[[if github_comments]]
<span class="separator-bull"></span> <i class="fas fa-comment-alt"></i> [[:github_comments]] {% trans 'Comments' %}
<span class="separator-bull"></span> <i class="fas fa-comment-alt"></i> [[>github_comments]] {% trans 'Comments' %}
[[/if]]
[[if interested.length]]
<span class="separator-bull"></span> <i class="fas fa-user"></i> [[:interested.length]] {% trans 'Applicants' %}
<span class="separator-bull"></span> <i class="fas fa-user"></i> [[>interested.length]] {% trans 'Applicants' %}
[[else]]
<span class="separator-bull"></span> <i class="fas fa-user"></i> 0 {% trans 'Applicants' %}
[[/if]]
Expand All @@ -61,7 +61,7 @@
[[if network != 'mainnet']]
<div class="tag network_warning">
<p>
<span>[[:network]]</span>
<span>[[>network]]</span>
</p>
</div>
[[/if]]
Expand All @@ -70,23 +70,23 @@
[[else]]
<div class="tag token">
<p>
[[:rounded_amount]]
<span>[[:token_name]]</span>
[[>rounded_amount]]
<span>[[>token_name]]</span>
[[if tokens]]
<i class="fas fa-plus mx-1" style="font-size: 0.5rem; position: relative; top: -1px;"></i>
<img class="m-0" style="position: relative; top: -2px;" src="{% static 'v2/images/coin.svg' %}">
[[/if]]
</p>
[[if tokens ]]
<button class="btn-expand-token" onclick="toggleExpandableBounty(event, '.[[:network]].i[[:standard_bounties_id]]')">
<button class="btn-expand-token" onclick="toggleExpandableBounty(event, '.[[>network]].i[[>standard_bounties_id]]')">
{% trans 'See All' %} <i class="fa fa-angle-down arrow"></i>
</button>
[[/if]]
</div>
[[if value_in_usdt]]
<div class="tag usd">
<p>
[[:value_in_usdt]]
[[>value_in_usdt]]
<span>USD</span>
</p>
</div>
Expand All @@ -103,12 +103,12 @@
</div>
<div class="tags flex-wrap col-9">
<div class="tag token font-caption">
<p><span>[[:rounded_amount]] [[:token_name]]</span></p>
<p><span>[[>rounded_amount]] [[>token_name]]</span></p>
</div>
[[props tokens]]
[[for prop ~tokenName=key]]
<div class="tag token font-caption">
<p><span>[[:#data]] [[:~tokenName]]<i class="fas fa-users ml-1"></i></span></p>
<p><span>[[>#data]] [[>~tokenName]]<i class="fas fa-users ml-1"></i></span></p>
</div>
[[/for]]
[[/props]]
Expand Down

0 comments on commit 4a93848

Please sign in to comment.