cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated PapaParse config to prevent CSV injection. 

I've updated the PapaParse JS library to the latest version from the master branch which supports the `escapeForumlae` option in order to prevent malicious event entries from being parsed and executed by the Gophish user's spreadsheet software.

When a new PapaParse release is created, I'll update this code to use the updated minified file.
pull/1914/head
Jordan Wright 2020-07-24 22:44:24 -05:00
parent 4e9b94b641
commit b25f5ac5e4
4 changed files with 1938 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
static/js/dist/app/campaign_results.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
static/js/dist/vendor.min.js vendored
View File

File diff suppressed because one or more lines are too long

4
static/js/src/app/campaign_results.js
View File

@ -216,7 +216,9 @@ function exportAsCSV(scope) {
return return
} }
$("#exportButton").html('<i class="fa fa-spinner fa-spin"></i>') $("#exportButton").html('<i class="fa fa-spinner fa-spin"></i>')
var csvString = Papa.unparse(csvScope, {}) var csvString = Papa.unparse(csvScope, {
'escapeFormulae': true
})
var csvData = new Blob([csvString], { var csvData = new Blob([csvString], {
type: 'text/csv;charset=utf-8;' type: 'text/csv;charset=utf-8;'
}); });

1933
static/js/src/vendor/papaparse.min.js vendored
View File

File diff suppressed because one or more lines are too long