feedback comments are now sanitized

...but not recursively, which resolves juice-shop#30
oguzhalit · Oct 14, 2014 · d836b82 · d836b82
1 parent 8a3321a
commit d836b82
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/lib/insecurity.js b/lib/insecurity.js
@@ -4,6 +4,7 @@
 var crypto = require('crypto'),
  expressJwt = require('express-jwt'),
  jwt = require('jsonwebtoken'),
+ sanitizeHtml = require('sanitize-html'),
  utils = require('./utils');
 
 var defaultSecret = 'too.short';
@@ -34,7 +35,7 @@ exports.authorize = function(user, role) {
 }
 
 exports.sanitizeHtml = function(html) {
- return html;
+ return sanitizeHtml(html);
 }
 
 exports.authenticatedUsers = {

diff --git a/package.json b/package.json
@@ -37,7 +37,8 @@
  "grunt-contrib-uglify": "~0.6",
  "grunt-contrib-concat": "~0.5",
  "grunt-contrib-clean": "~0.6",
- "grunt-contrib-compress": "~0.12"
+ "grunt-contrib-compress": "~0.12",
+ "sanitize-html": "1.4.2"
  },
  "devDependencies": {
  "frisby": "~0.8",

diff --git a/test/server/feedbackApiSpec.js b/test/server/feedbackApiSpec.js
@@ -75,3 +75,25 @@ frisby.create('GET all feedback')
  .get(API_URL + '/Feedbacks')
  .expectStatus(200)
  .toss();
+
+frisby.create('POST sanitizes unsafe HTML from comment')
+ .post(API_URL + '/Feedbacks', {
+ comment: 'I am a harm<script>steal-cookie</script><img src="csrf-attack"/><iframe src="evil-content"></iframe>less comment.',
+ rating: 1
+ })
+ .expectStatus(200)
+ .expectJSON('data', {
+ comment: 'I am a harmless comment.'
+ })
+ .toss();
+
+frisby.create('POST fails to sanitize unsafe HTML recursively')
+ .post(API_URL + '/Feedbacks', {
+ comment: 'I am not harmless: <<img src="csrf-attack"/>img src="csrf-attack"/>',
+ rating: 1
+ })
+ .expectStatus(200)
+ .expectJSON('data', {
+ comment: 'I am not harmless: <img src="csrf-attack"/>'
+ })
+ .toss();