From 33e8f35bbf7c6036a24f16b1700b2a8da1ebbcf0 Mon Sep 17 00:00:00 2001
From: Berkeley Martinez <Berkeley@robotie.com>
Date: Tue, 6 Oct 2015 16:39:15 -0700
Subject: [PATCH] Fix replace script tags in URL

Replace script tags in URL with fcc tags.
This prevents some xss bugs blocking code from running
in the iFrame.
---
 client/commonFramework.js      | 76 ++++++++++++++++++++--------------
 server/boot/user.js            | 10 ++++-
 server/views/account/show.jade |  4 +-
 3 files changed, 56 insertions(+), 34 deletions(-)

diff --git a/client/commonFramework.js b/client/commonFramework.js
index fcb1ccc58d..d4d86503c1 100644
--- a/client/commonFramework.js
+++ b/client/commonFramework.js
@@ -1,31 +1,49 @@
-// common namespace
-// all classes should be stored here
-var common = common || {
-  // init is an array of functions that are
-  // called at the beginning of dom ready
-  init: []
-};
+var common = (function() {
+  // common namespace
+  // all classes should be stored here
+  var common = window.common || {
+    // init is an array of functions that are
+    // called at the beginning of dom ready
+    init: []
+  };
 
-common.challengeName = common.challengeName || window.challenge_Name ?
-  window.challenge_Name :
-  '';
+  common.challengeName = common.challengeName || window.challenge_Name ?
+    window.challenge_Name :
+    '';
 
-common.challengeType = common.challengeType || window.challengeType ?
-  window.challengeType :
-  0;
+  common.challengeType = common.challengeType || window.challengeType ?
+    window.challengeType :
+    0;
 
-common.challengeId = common.challengeId || window.challenge_Id;
+  common.challengeId = common.challengeId || window.challenge_Id;
 
-common.challengeSeed = common.challengeSeed || window.challengeSeed ?
-  window.challengeSeed :
-  [];
+  common.challengeSeed = common.challengeSeed || window.challengeSeed ?
+    window.challengeSeed :
+    [];
 
-common.seed = common.challengeSeed.reduce(function(seed, line) {
-  return seed + line + '\n';
-}, '');
+  common.seed = common.challengeSeed.reduce(function(seed, line) {
+    return seed + line + '\n';
+  }, '');
+
+  common.replaceScriptTags = function replaceScriptTags(value) {
+    return value
+      .replace(/<script>/gi, 'fccss')
+      .replace(/<\/script>/gi, 'fcces');
+  };
+
+  common.replaceSafeTags = function replaceSafeTags(value) {
+    return value
+      .replace(/fccss/gi, '<script>')
+      .replace(/fcces/gi, '</script>');
+  };
+
+  return common;
+})();
 
 // store code in the URL
 common.codeUri = (function(common, encode, decode, location, history) {
+  var replaceScriptTags = common.replaceScriptTags;
+  var replaceSafeTags = common.replaceSafeTags;
   var codeUri = {
     encode: function(code) {
       return encode(code);
@@ -67,7 +85,7 @@ common.codeUri = (function(common, encode, decode, location, history) {
             null,
             location.href.split('?')[0]
           );
-          location.hash = '#?' + query;
+          location.hash = '#?' + replaceScriptTags(query);
         }
       } else {
         query = location.hash.replace(/^\#\?/, '');
@@ -82,13 +100,15 @@ common.codeUri = (function(common, encode, decode, location, history) {
           var key = param.split('=')[0];
           var value = param.split('=')[1];
           if (key === 'solution') {
-            return codeUri.decode(value);
+            return replaceSafeTags(codeUri.decode(value || ''));
           }
           return solution;
         }, null);
     },
     querify: function(solution) {
-      location.hash = '?solution=' + codeUri.encode(solution);
+      location.hash = '?solution=' +
+        codeUri.encode(replaceScriptTags(solution));
+
       return solution;
     }
   };
@@ -306,12 +326,6 @@ var sandBox = (function(jailed, codeOutput) {
   return sandBox;
 }(window.jailed, common.codeOutput));
 
-function replaceSafeTags(value) {
-  return value
-    .replace(/fccss/gi, '<script>')
-    .replace(/fcces/gi, '</script>');
-}
-
 var BDDregex = new RegExp(
   '(expect(\\s+)?\\(.*\\;)|' +
   '(assert(\\s+)?\\(.*\\;)|' +
@@ -416,7 +430,7 @@ var editor = (function(CodeMirror, emmetCodeMirror, common) {
         common.seed;
     }
 
-    editor.setValue(replaceSafeTags(editorValue));
+    editor.setValue(common.replaceSafeTags(editorValue));
     editor.refresh();
   });
 
@@ -659,7 +673,7 @@ function showCompletion() {
 }
 
 var resetEditor = function resetEditor() {
-  editor.setValue(replaceSafeTags(common.seed));
+  editor.setValue(common.replaceSafeTags(common.seed));
   $('#testSuite').empty();
   bonfireExecute(true);
   common.codeStorage.updateStorage();
diff --git a/server/boot/user.js b/server/boot/user.js
index a7c6fe2978..3d360f2776 100644
--- a/server/boot/user.js
+++ b/server/boot/user.js
@@ -11,6 +11,12 @@ const debug = debugFactory('freecc:boot:user');
 const daysBetween = 1.5;
 const sendNonUserToMap = ifNoUserRedirectTo('/map');
 
+function replaceScriptTags(value) {
+  return value
+    .replace(/<script>/gi, 'fccss')
+    .replace(/<\/script>/gi, 'fcces');
+}
+
 function calcCurrentStreak(cals) {
   const revCals = cals.concat([Date.now()]).slice().reverse();
   let streakBroken = false;
@@ -239,7 +245,9 @@ module.exports = function(app) {
           moment,
 
           longestStreak: profileUser.longestStreak,
-          currentStreak: profileUser.currentStreak
+          currentStreak: profileUser.currentStreak,
+
+          replaceScriptTags
         });
       }
     );
diff --git a/server/views/account/show.jade b/server/views/account/show.jade
index 530f74b746..e48c80eff9 100644
--- a/server/views/account/show.jade
+++ b/server/views/account/show.jade
@@ -131,7 +131,7 @@ block content
                                             td.col-xs-4= bonfire.name
                                             td.col-xs-2= moment(bonfire.completedDate, 'x').format("MMM DD, YYYY")
                                             td.col-xs-6
-                                                a(href='/challenges/' + bonfire.name + '?solution=' + encodeURIComponent(bonfire.solution), target='_blank') View my solution
+                                                a(href='/challenges/' + bonfire.name + '?solution=' + encodeURIComponent(replaceScriptTags(bonfire.solution)), target='_blank') View my solution
                         if (waypoints.length > 0)
                             .col-sm-12
                                 table.table.table-striped
@@ -146,7 +146,7 @@ block content
                                             td.col-xs-2= moment(challenge.completedDate, 'x').format("MMM DD, YYYY")
                                             td.col-xs-6
                                               if (challenge.solution)
-                                                  a(href='/challenges/' + challenge.name + '?solution=' + encodeURIComponent(challenge.solution), target='_blank') View my solution
+                                                  a(href='/challenges/' + challenge.name + '?solution=' + encodeURIComponent(replaceScriptTags(challenge.solution)), target='_blank') View my solution
                                               else
                                                   a(href='/challenges/' + challenge.name) View this challenge