Fix replace script tags in URL

Replace script tags in URL with fcc tags. This prevents some xss bugs blocking code from running in the iFrame.
2015-10-06 16:39:15 -07:00
parent e6afda62c7
commit 33e8f35bbf
3 changed files with 56 additions and 34 deletions
--- a/server/boot/user.js
+++ b/server/boot/user.js
@@ -11,6 +11,12 @@ const debug = debugFactory('freecc:boot:user');
 const daysBetween = 1.5;
 const sendNonUserToMap = ifNoUserRedirectTo('/map');

+function replaceScriptTags(value) {
+  return value
+    .replace(/<script>/gi, 'fccss')
+    .replace(/<\/script>/gi, 'fcces');
+}
+
 function calcCurrentStreak(cals) {
  const revCals = cals.concat([Date.now()]).slice().reverse();
  let streakBroken = false;
@@ -239,7 +245,9 @@ module.exports = function(app) {
          moment,

          longestStreak: profileUser.longestStreak,
-          currentStreak: profileUser.currentStreak
+          currentStreak: profileUser.currentStreak,
+
+          replaceScriptTags
        });
      }
    );
--- a/server/views/account/show.jade
+++ b/server/views/account/show.jade
@@ -131,7 +131,7 @@ block content
                                            td.col-xs-4= bonfire.name
                                            td.col-xs-2= moment(bonfire.completedDate, 'x').format("MMM DD, YYYY")
                                            td.col-xs-6
-                                                a(href='/challenges/' + bonfire.name + '?solution=' + encodeURIComponent(bonfire.solution), target='_blank') View my solution
+                                                a(href='/challenges/' + bonfire.name + '?solution=' + encodeURIComponent(replaceScriptTags(bonfire.solution)), target='_blank') View my solution
                        if (waypoints.length > 0)
                            .col-sm-12
                                table.table.table-striped
@@ -146,7 +146,7 @@ block content
                                            td.col-xs-2= moment(challenge.completedDate, 'x').format("MMM DD, YYYY")
                                            td.col-xs-6
                                              if (challenge.solution)
-                                                  a(href='/challenges/' + challenge.name + '?solution=' + encodeURIComponent(challenge.solution), target='_blank') View my solution
+                                                  a(href='/challenges/' + challenge.name + '?solution=' + encodeURIComponent(replaceScriptTags(challenge.solution)), target='_blank') View my solution
                                              else
                                                  a(href='/challenges/' + challenge.name) View this challenge