From 82111163750930758e49ced905af2c3b8ad24be4 Mon Sep 17 00:00:00 2001
From: Jordan Wright <jmwright798@gmail.com>
Date: Wed, 25 May 2016 18:35:47 -0500
Subject: [PATCH] Fixing some minor xss issues - Fixes #272

---
 static/js/app/templates.js | 10 +++++-----
 static/js/app/users.js     | 36 ++++++++++++++++++------------------
 2 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/static/js/app/templates.js b/static/js/app/templates.js
index 250873c8..aa8f1e7c 100644
--- a/static/js/app/templates.js
+++ b/static/js/app/templates.js
@@ -36,7 +36,7 @@ function save(idx) {
         // Add the attachments
     $.each($("#attachmentsTable").DataTable().rows().data(), function(i, target) {
         template.attachments.push({
-            name: target[1],
+            name: unescapeHtml(target[1]),
             content: target[3],
             type: target[4],
         })
@@ -108,7 +108,7 @@ function attach(files) {
                 // Add the record to the modal
             attachmentsTable.row.add([
                 '<i class="fa ' + icon + '"></i>',
-                file.name,
+                escapeHtml(file.name),
                 '<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
                 reader.result.split(",")[1],
                 file.type || "application/octet-stream"
@@ -157,7 +157,7 @@ function edit(idx) {
                 // Add the record to the modal
             attachmentsTable.row.add([
                 '<i class="fa ' + icon + '"></i>',
-                file.name,
+                escapeHtml(file.name),
                 '<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
                 file.content,
                 file.type || "application/octet-stream"
@@ -212,7 +212,7 @@ function copy(idx) {
                 // Add the record to the modal
             attachmentsTable.row.add([
                 '<i class="fa ' + icon + '"></i>',
-                file.name,
+                escapeHtml(file.name),
                 '<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
                 file.content,
                 file.type || "application/octet-stream"
@@ -279,7 +279,7 @@ function load() {
                 templateTable.clear()
                 $.each(templates, function(i, template) {
                     templateTable.row.add([
-                        template.name,
+                        escapeHtml(template.name),
                         moment(template.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
                         "<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Template' onclick='edit(" + i + ")'>\
                     <i class='fa fa-pencil'></i>\
diff --git a/static/js/app/users.js b/static/js/app/users.js
index db591429..14dc7d5d 100644
--- a/static/js/app/users.js
+++ b/static/js/app/users.js
@@ -5,10 +5,10 @@ function save(idx) {
     var targets = []
     $.each($("#targetsTable").DataTable().rows().data(), function(i, target) {
         targets.push({
-            first_name: target[0],
-            last_name: target[1],
-            email: target[2],
-            position: target[3]
+            first_name: unescapeHtml(target[0]),
+            last_name: unescapeHtml(target[1]),
+            email: unescapeHtml(target[2]),
+            position: unescapeHtml(target[3])
         })
     })
     var group = {
@@ -71,10 +71,10 @@ function edit(idx) {
         $.each(group.targets, function(i, record) {
             targets.DataTable()
                 .row.add([
-                    record.first_name,
-                    record.last_name,
-                    record.email,
-                    record.position,
+                    escapeHtml(record.first_name),
+                    escapeHtml(record.last_name),
+                    escapeHtml(record.email),
+                    escapeHtml(record.position),
                     '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
                 ]).draw()
         });
@@ -96,10 +96,10 @@ function edit(idx) {
             $.each(data.result, function(i, record) {
                 targets.DataTable()
                     .row.add([
-                        record.first_name,
-                        record.last_name,
-                        record.email,
-                        record.position,
+                        escapeHtml(record.first_name),
+                        escapeHtml(record.last_name),
+                        escapeHtml(record.email),
+                        escapeHtml(record.position),
                         '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
                     ]).draw()
             });
@@ -146,8 +146,8 @@ function load() {
                         }
                     })
                     groupTable.row.add([
-                        group.name,
-                        targets,
+                        escapeHtml(group.name),
+                        escapeHtml(targets),
                         moment(group.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
                         "<div class='pull-right'><button class='btn btn-primary' data-toggle='modal' data-target='#modal' onclick='edit(" + i + ")'>\
                     <i class='fa fa-pencil'></i>\
@@ -173,10 +173,10 @@ $(document).ready(function() {
     $("#targetForm").submit(function() {
             targets.DataTable()
                 .row.add([
-                    $("#firstName").val(),
-                    $("#lastName").val(),
-                    $("#email").val(),
-                    $("#position").val(),
+                    escapeHtml($("#firstName").val()),
+                    escapeHtml($("#lastName").val()),
+                    escapeHtml($("#email").val()),
+                    escapeHtml($("#position").val()),
                     '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
                 ])
                 .draw()