Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix XSS: Escape temp vars #5688

Merged
merged 2 commits into from
Jan 2, 2020
Merged

Fix XSS: Escape temp vars #5688

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a904b05
escape x-jsrender scripts
mul53 Dec 26, 2019
3571bec
added fix
mul53 Dec 26, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 42 additions & 42 deletions app/dashboard/templates/bounty/details.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,15 +260,15 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
</div>

<script id="action" type="text/x-jsrender">
<span [[if id]] id="[[:id]]" [[if id == 'submit']] [[if !work_started]] class="none" [[/if]] [[/if]] [[/if]]
title='<div class="tooltip-info tooltip-sm">[[:title]]</div>'>
<span [[if id]] id="[[>id]]" [[if id == 'submit']] [[if !work_started]] class="none" [[/if]] [[/if]] [[/if]]
title='<div class="tooltip-info tooltip-sm">[[>title]]</div>'>
[[if pending_acceptance]]
<a class="button button--primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[:href]]" target="[[:target]]">
<span class="font-caption">[[:text]] ( [[:pending_acceptance]] )</span>
<a class="button button--primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[>href]]" target="[[>target]]">
<span class="font-caption">[[>text]] ( [[>pending_acceptance]] )</span>
</a>
[[else]]
<a class="button [[if primary]]button--primary[[else]]button--secondary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[:buttonclass]]" role="button" href="[[:href]]" target="[[:target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<span class="font-caption">[[:text]]</span>
<a class="button [[if primary]]button--primary[[else]]button--secondary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[>buttonclass]]" role="button" href="[[>href]]" target="[[>target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<span class="font-caption">[[>text]]</span>
</a>
[[/if]]
</span>
Expand All @@ -278,14 +278,14 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
[[if activity_type != 'unknown_event']]
<div class="row box activity">
<div class="col-12 col-md-1">
<div class="activity-avatar bounty_row user-popover" data-username="[[:name]]" data-html="true" data-toggle="popover" data-container="body">
<img class="avatar" src="/dynamic/avatar/[[:name]]" alt="Avatar"/>
<div class="activity-avatar bounty_row user-popover" data-username="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
<img class="avatar" src="/dynamic/avatar/[[>name]]" alt="Avatar"/>
</div>
</div>
<div class="col-12 col-md-2">
<div class="activity-name text-center text-md-left">
<a href="/profile/[[:name]]" target="_blank" data-username="[[:name]]" data-html="true" data-toggle="popover" data-container="body">
[[:name]]
<a href="/profile/[[>name]]" target="_blank" data-username="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
[[>name]]
</a>
</div>
</div>
Expand All @@ -294,71 +294,71 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>

<div class="col-12 col-md-7">
<div class="activity-tags activity-tag-first align-items-center text-center text-md-left">
[[:text]]
[[>text]]
( <div class="tag token">
<p>
<span>[[:tip.amount]] [[:tip.token]]</span>
<span>[[>tip.amount]] [[>tip.token]]</span>
</p>
</div> )
to
<a href="/profile/[[:tip.to]]">[[:tip.to]]</a>
<a href="/profile/[[>tip.to]]">[[>tip.to]]</a>
</div>
</div>

[[else activity_type == 'work_done']]
<div class="col-12 col-md-7 fulfilled text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
<i class="far fa-check-circle"></i>
</div>
[[if fulfiller_address]]
<div>
<span class="bounty-subheading">{% trans "ETH Address" %} :</span>
<span class="bounty-text">
<a href="https://etherscan.io/address/[[:fulfiller_address]]" target="_blank" rel="noopener noreferrer">[[:fulfiller_address]]</a>
<a href="https://etherscan.io/address/[[>fulfiller_address]]" target="_blank" rel="noopener noreferrer">[[>fulfiller_address]]</a>
</span>
</div>
[[/if]]
[[if fulfiller_email]]
<div>
<span class="bounty-subheading">{% trans "Email" %} :</span>
<span class="bounty-text">
<a href="mailto:[[:fulfiller_email]]">[[:fulfiller_email]]</a>
<a href="mailto:[[>fulfiller_email]]">[[>fulfiller_email]]</a>
</span>
</div>
[[/if]]
[[if fulfillment_id]]
<div>
<span class="bounty-subheading">{% trans "Submission Id" %} :</span>
<span class="bounty-text">[[:fulfillment_id]]</span>
<span class="bounty-text">[[>fulfillment_id]]</span>
</div>
[[/if]]
</div>
[[else activity_type == 'start_work' || activity_type == 'worker_approved' || activity_type == 'bounty_abandonment_warning' || activity_type == 'worker_applied']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
[[if activity_type == 'worker_approved']]
<a href="/profile/[[:worker_handle]]" target="_blank">
[[:worker_handle]]
<a href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a> to work on the bounty
[[/if]]
[[if signed_nda]]
<a href="[[:signed_nda.signed_nda.doc]]" download class="d-flex">View signed NDA</a>
<a href="[[>signed_nda.signed_nda.doc]]" download class="d-flex">View signed NDA</a>
[[/if]]
</div>
[[if can_approve_worker ]]
<div class="stop-work-container">
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Reject worker</div>">
<a class="button button--primary" href="[[:reject_worker_url]]">
<a class="button button--primary" href="[[>reject_worker_url]]">
<span class="font-smaller-4">{% trans "Reject worker" %}</span>
</a>
</span>
</div>
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Approve worker</div>">
<a class="button button--primary" href="[[:approve_worker_url]]">
<a class="button button--primary" href="[[>approve_worker_url]]">
<span class="font-smaller-4">{% trans "Approve worker" %}</span>
</a>
</span>
Expand All @@ -368,15 +368,15 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="stop-work-container">
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty</div>">
<a id="remove-[[:name]]" class="button button--primary" role="button" href="remove-handle">
<a id="remove-[[>name]]" class="button button--primary" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work" %}</span>
</a>
</span>
</div>
[[if slash_possible]]
<div class="stop-work mt-2">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty and ding rep</div>">
<a id="remove-slash-[[:name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<a id="remove-slash-[[>name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work + Ding Rep" %}</span>
</a>
</span>
Expand All @@ -388,32 +388,32 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
[[else activity_type == 'worker_rejected']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
<a href="/profile/[[:worker_handle]]" target="_blank">
[[:worker_handle]]
[[>text]]
<a href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a>
</div>
</div>
[[else activity_type == 'work_submitted']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
[[if fulfiller_github_url]]
<a target="_blank" href="[[:fulfiller_github_url]]">[{% trans "View Work" %}]</a>
<a target="_blank" href="[[>fulfiller_github_url]]">[{% trans "View Work" %}]</a>
[[/if]]
</div>
[[if slash_possible]]
<div class="stop-work-container">
<div class="stop-work">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty</div>">
<a id="remove-[[:name]]" class="button button--primary" role="button" href="remove-handle">
<a id="remove-[[>name]]" class="button button--primary" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work" %}</span>
</a>
</span>
</div>
<div class="stop-work">
<span title="<div class='tooltip-info tooltip-sm'>Remove this user's started work on the bounty and ding rep</div>">
<a id="remove-slash-[[:name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<a id="remove-slash-[[>name]]" class="button button--primary admin-only" role="button" href="remove-handle">
<span class="font-smaller-4">{% trans "Stop work + Ding Rep" %}</span>
</a>
</span>
Expand All @@ -424,53 +424,53 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
[[else activity_type == 'increased_bounty']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-tags activity-tag-first align-items-center">
[[:text]]
[[>text]]
from
<div class="tag token">
<p>
<span>[[:value_in_token_old]] [[:token_name]]</span>
<span>[[>value_in_token_old]] [[>token_name]]</span>
</p>
</div>
to
<div class="tag token">
<p>
<span>[[:value_in_token_new]] [[:token_name]]</span>
<span>[[>value_in_token_new]] [[>token_name]]</span>
</p>
</div>
</div>
</div>
[[else activity_type == 'new_crowdfund']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-tags activity-tag-first align-items-center">
[[:text]]
[[>text]]
( <div class="tag token">
<p>
<span>[[:crowdfund.amount]] [[:crowdfund.token]]</span>
<span>[[>crowdfund.amount]] [[>crowdfund.token]]</span>
</p>
</div> )
</div>
</div>
[[else activity_type == 'new_kudos']]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status activity-tag-first align-items-center d-flex justify-content-between">
<span>New Kudos sent to <a href="/profile/[[:to_username]]">[[:to_username]]</a></span>
<img width="60px" height="60px" class="activity-kudos text-center text-md-left" src="/static/[[:kudos]]" alt="Kudos">
<span>New Kudos sent to <a href="/profile/[[>to_username]]">[[>to_username]]</a></span>
<img width="60px" height="60px" class="activity-kudos text-center text-md-left" src="/static/[[>kudos]]" alt="Kudos">
</div>
</div>
[[else]]
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[:text]]
[[>text]]
</div>
</div>
[[/if]]
<div class="col-12 col-md-2 text-center text-md-left">
<div class="activity-time">[[:age]]</div>
<div class="activity-time">[[>age]]</div>
</div>
[[if issue_message && activity_type == 'worker_applied' || issue_message && permission_type == 'permissionless' && activity_type == 'start_work' ]]
<div class="bg-lightblue py-3 px-4 rounded mt-3 mb-0 w-100 overflow-auto" style="max-height: 8rem;">
<p class="font-weight-bold mb-2">Work Plan</p>
<p class="mb-0">[[:issue_message.issue_message]]</p>
<p class="mb-0">[[>issue_message.issue_message]]</p>
</div>
[[/if]]
</div>
Expand Down
10 changes: 5 additions & 5 deletions app/retail/templates/shared/featured_bounty_cards.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@
<!-- JSRender stuff -->
<script id="featured-card" type="text/x-jsrender">
<div class="bounty-card">
<img src="[[:avatar_url]]" alt="" width="56" height="56" class="bounty-card__avatar rounded-circle">
<img src="[[>avatar_url]]" alt="" width="56" height="56" class="bounty-card__avatar rounded-circle">
<div class="">
<p class="bounty-card__title">[[:title]]</p>
<p class="bounty-card__title">[[>title]]</p>
<div class="d-flex">
<div class="tag token">[[:rounded_amount]] <span>[[:token_name]]</span></div>
<div class="tag usd">[[:value_in_usdt]] <span>USD</span></div>
<div class="tag token">[[>rounded_amount]] <span>[[>token_name]]</span></div>
<div class="tag usd">[[>value_in_usdt]] <span>USD</span></div>
</div>
<a href="[[:url]]" class="bounty-card__link">View Bounty</a>
<a href="[[>url]]" class="bounty-card__link">View Bounty</a>
</div>
</div>
</script>
30 changes: 15 additions & 15 deletions app/retail/templates/shared/result.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
{% load static i18n %}
<!-- JSRender stuff -->
<script id="result" type="text/x-jsrender">
<a class="result bounty_row [[if hidden]]bounty_row--hidden[[/if]] [[:network]] i[[:standard_bounties_id]]" href="[[:action]]" data-container="body" data-toggle="popover" data-content='{% include "shared/bounty-popover.html" %}'>
<a class="result bounty_row [[if hidden]]bounty_row--hidden[[/if]] [[>network]] i[[>standard_bounties_id]]" href="[[>action]]" data-container="body" data-toggle="popover" data-content='{% include "shared/bounty-popover.html" %}'>
[[if avatar_url]]
<div class="avatar-container col-1 justify-content-center hide_min_viewport">
<img src='[[:avatar_url]]' class='avatar [[:github_org_name]]'>
<img src='[[>avatar_url]]' class='avatar [[>github_org_name]]'>
</div>
[[else]]
<div class="avatar-container col-1 justify-content-center">
<div class="experience [[:experience_level]]">&nbsp;</div>
<div class="experience [[>experience_level]]">&nbsp;</div>
</div>
[[/if]]
<div class="col-12 col-md-8 d-flex flex-column">
Expand All @@ -17,14 +17,14 @@
<div class="hiring-alt">HIRING <i class="fa-flag far"></i></div>
[[/if]]
<div class="title font-subheader">
[[:title]]
[[>title]]
[[if event != null && event != '']]
<div class="hackathon-alt">[[:event.name]]</div>
<div class="hackathon-alt">[[>event.name]]</div>
[[/if]]
</div>
<div class="bounty-summary col-12">
<div class="info font-caption">
<span class="status-[[:status]]">
<span class="status-[[>status]]">
<i class="g-icon g-icon__dot-circle"></i>
[[if status === "open"]]
{% trans "Ready to work" %}
Expand All @@ -45,10 +45,10 @@
<span class="separator-bull"></span>
[[:p]]
[[if github_comments]]
<span class="separator-bull"></span> <i class="fas fa-comment-alt"></i> [[:github_comments]] {% trans 'Comments' %}
<span class="separator-bull"></span> <i class="fas fa-comment-alt"></i> [[>github_comments]] {% trans 'Comments' %}
[[/if]]
[[if interested.length]]
<span class="separator-bull"></span> <i class="fas fa-user"></i> [[:interested.length]] {% trans 'Applicants' %}
<span class="separator-bull"></span> <i class="fas fa-user"></i> [[>interested.length]] {% trans 'Applicants' %}
[[else]]
<span class="separator-bull"></span> <i class="fas fa-user"></i> 0 {% trans 'Applicants' %}
[[/if]]
Expand All @@ -61,7 +61,7 @@
[[if network != 'mainnet']]
<div class="tag network_warning">
<p>
<span>[[:network]]</span>
<span>[[>network]]</span>
</p>
</div>
[[/if]]
Expand All @@ -70,23 +70,23 @@
[[else]]
<div class="tag token">
<p>
[[:rounded_amount]]
<span>[[:token_name]]</span>
[[>rounded_amount]]
<span>[[>token_name]]</span>
[[if tokens]]
<i class="fas fa-plus mx-1" style="font-size: 0.5rem; position: relative; top: -1px;"></i>
<img class="m-0" style="position: relative; top: -2px;" src="{% static 'v2/images/coin.svg' %}">
[[/if]]
</p>
[[if tokens ]]
<button class="btn-expand-token" onclick="toggleExpandableBounty(event, '.[[:network]].i[[:standard_bounties_id]]')">
<button class="btn-expand-token" onclick="toggleExpandableBounty(event, '.[[>network]].i[[>standard_bounties_id]]')">
{% trans 'See All' %} <i class="fa fa-angle-down arrow"></i>
</button>
[[/if]]
</div>
[[if value_in_usdt]]
<div class="tag usd">
<p>
[[:value_in_usdt]]
[[>value_in_usdt]]
<span>USD</span>
</p>
</div>
Expand All @@ -103,12 +103,12 @@
</div>
<div class="tags flex-wrap col-9">
<div class="tag token font-caption">
<p><span>[[:rounded_amount]] [[:token_name]]</span></p>
<p><span>[[>rounded_amount]] [[>token_name]]</span></p>
</div>
[[props tokens]]
[[for prop ~tokenName=key]]
<div class="tag token font-caption">
<p><span>[[:#data]] [[:~tokenName]]<i class="fas fa-users ml-1"></i></span></p>
<p><span>[[>#data]] [[>~tokenName]]<i class="fas fa-users ml-1"></i></span></p>
</div>
[[/for]]
[[/props]]
Expand Down