Security fixes

app/assets/v2/js/pages/bounty_details.js

@@ -25,7 +25,7 @@ var gitcoin_ize = function(key, val) {
 
 var email_ize = function(key, val) {
 
-  if (val == 'Anonymous' || val == '') {
+  if (!validateEmail(val)) {
     $('#bounty_owner_email').remove();
     $('#bounty_owner_email_label').remove();
   }
@@ -243,6 +243,7 @@ var callbacks = {
     var tags = [];
 
     keywords.forEach(function(keyword) {
+      keyword = keyword.replace(/[\W_]+/g, '');
       tags.push('<a href="/explorer/?q=' + keyword.trim() + '"><div class="tag keyword">' + keyword + '</div></a>');
     });
     return [ 'issue_keywords', tags ];

app/assets/v2/js/shared.js

@@ -159,10 +159,16 @@ var sanitizeDict = function(d, keyToIgnore) {
 };
 
 var sanitizeAPIResults = function(results, keyToIgnore) {
-  for (var i = 0; i < results.length; i++) {
-    results[i] = sanitizeDict(results[i], keyToIgnore);
+  if (results.length >= 1) {
+    for (var i = 0; i < results.length; i++) {
+      results[i] = sanitizeDict(results[i], keyToIgnore);
+    }
+    return results;
   }
-  return results;
+
+  results = [results];
+  results[0] = sanitizeDict(results[0], keyToIgnore);
+  return results[0];
 };
 
 function ucwords(str) {
@@ -176,6 +182,8 @@ var sanitize = function(str) {
     return str;
   }
   result = DOMPurify.sanitize(str);
+  result = result.replace(/(<([^>]+)>)/ig, '');
+
   return result;
 };
 
@@ -634,7 +642,7 @@ var retrieveIssueDetails = function() {
     result = sanitizeAPIResults(result);
     if (result['keywords']) {
       var keywords = result['keywords'];
-
+	  
       showChoices('#keyword-suggestions', '#keywords', keywords);
       $('#keywords').select2({
         placeholder: 'Select tags',

app/dashboard/models.py

@@ -49,6 +49,7 @@
 import pytz
 import requests
 from app.utils import get_upload_filename
+from bleach import clean
 from dashboard.tokens import addr_to_token, token_by_name
 from economy.models import ConversionRate, EncodeAnything, SuperModel, get_time
 from economy.utils import ConversionRateNotFoundError, convert_amount, convert_token_to_usdt
@@ -1976,7 +1977,7 @@ def view_props(self):
         obj = self.metadata
         if 'new_bounty' in self.metadata:
             obj = self.metadata['new_bounty']
-        activity['title'] = obj.get('title', '')
+        activity['title'] = clean(obj.get('title', ''), strip=True)
         if 'id' in obj:
             if 'category' not in obj or obj['category'] == 'bounty': # backwards-compatible for category-lacking metadata
                 activity['bounty_url'] = Bounty.objects.get(pk=obj['id']).get_relative_url()
@@ -2626,7 +2627,7 @@ def calc_activity_level(self):
         if visits_last_month > med_threshold:
             return "Med"
         return "Low"
-            
+
 
 
     def calc_longest_streak(self):
@@ -3423,7 +3424,7 @@ def to_dict(self):
         sum_eth_collected = self.get_eth_sum(bounties=fulfilled_bounties)
         works_with_funded = self.get_who_works_with(work_type='funded', bounties=funded_bounties)
         works_with_collected = self.get_who_works_with(work_type='collected', bounties=fulfilled_bounties)
-        
+
         sum_all_funded_tokens = self.get_all_tokens_sum(sum_type='funded', bounties=funded_bounties, network=network)
         sum_all_collected_tokens = self.get_all_tokens_sum(
             sum_type='collected', bounties=fulfilled_bounties, network=network

app/dashboard/templates/bounty/fund.html

@@ -435,7 +435,7 @@ <h3 class="mt-3 mb-4 font-title-lg font-weight-semibold">
   {% include 'shared/analytics.html' %}
   {% include 'shared/footer_scripts_lite.html' %}
   {% include 'shared/footer.html' %}
-  
+
 </body>
 
 {% include 'shared/current_profile.html' %}
@@ -448,7 +448,7 @@ <h3 class="mt-3 mb-4 font-title-lg font-weight-semibold">
 </script>
 <script src="{% static "v2/js/lib/jquery.validate.min.js" %}"></script>
 <script src="{% static "v2/js/shared.js" %}"></script>
-
+<script src="{% static "v2/js/lib/purify.min.js" %}"></script>
 <script src="{% static "v2/js/pages/wallet_estimate.js" %}"></script>
 <script src="{% static "v2/js/lib/ipfs-api.js" %}"></script>
 <script src="{% static "v2/js/ipfs.js" %}"></script>

app/dashboard/views.py

@@ -52,6 +52,7 @@
 import magic
 from app.utils import clean_str, ellipses, get_default_network
 from avatar.utils import get_avatar_context_for_user
+from bleach import clean
 from dashboard.context import quickstart as qs
 from dashboard.utils import ProfileHiddenException, ProfileNotFoundException, get_bounty_from_invite_url, profile_helper
 from economy.utils import convert_token_to_usdt
@@ -1820,12 +1821,12 @@ def bounty_details(request, ghuser='', ghrepo='', ghissue=0, stdbounties_id=None
                 # Currently its not finding anyting in the database
                 if bounty.title and bounty.org_name:
                     params['card_title'] = f'{bounty.title} | {bounty.org_name} Funded Issue Detail | Gitcoin'
-                    params['title'] = params['card_title']
-                    params['card_desc'] = ellipses(bounty.issue_description_text, 255)
+                    params['title'] = clean(params['card_title'], strip=True)
+                    params['card_desc'] = ellipses(clean(bounty.issue_description_text, strip=True), 255)
                     params['noscript'] = {
-                        'title': bounty.title,
+                        'title': clean(bounty.title, strip=True),
                         'org_name': bounty.org_name,
-                        'issue_description_text': bounty.issue_description_text,
+                        'issue_description_text': clean(bounty.issue_description_text, strip=True),
                         'keywords': ', '.join(bounty.keywords.split(','))}
 
                 if bounty.event and bounty.event.slug:
@@ -2433,15 +2434,15 @@ def profile(request, handle, tab=None):
     default_tab = 'activity'
     tab = tab if tab else default_tab
     handle = handle.replace("@", "")
-    
+
     # make sure tab param is correct
     all_tabs = ['active', 'ratings', 'portfolio', 'viewers', 'activity', 'resume', 'kudos', 'earnings', 'spent', 'orgs', 'people']
     tab = default_tab if tab not in all_tabs else tab
     if handle in all_tabs and request.user.is_authenticated:
         # someone trying to go to their own profile?
         tab = handle
         handle = request.user.profile.handle
-    
+
     # user only tabs
     if not handle and request.user.is_authenticated:
         handle = request.user.username