Skip to content
Snippets Groups Projects
Commit 5399b82d authored by Piotr Gawron's avatar Piotr Gawron
Browse files

when showing user comments xss attack is prevented

parent 4a64f4d3
No related branches found
No related tags found
1 merge request!179when showing user comments xss attack is prevented
Hide whitespace changes
Inline Side-by-side
frontend-js/package.json
+ 2
1
View file @ 5399b82d
......@@ -43,6 +43,7 @@
"log4js": "0.6.38",
"mkdirp": "^0.5.1",
"pileup": "^0.6.8",
"request": "^2.79.0"
"request": "^2.79.0",
"xss": "^0.3.7"
}
}
frontend-js/src/main/js/map/window/AbstractInfoWindow.js
+ 3
1
View file @ 5399b82d
"use strict";
var Promise = require("bluebird");
var xss = require("xss");
var logger = require('../../logger');
var Functions = require('../../Functions');
......@@ -258,7 +259,8 @@ AbstractInfoWindow.prototype._createCommentInfoDiv = function(overlay, data) {
result.appendChild(commentId);
result.appendChild(document.createElement("br"));
var commentContent = document.createElement("div");
commentContent.innerHTML = comment.getContent();
commentContent.innerHTML = xss(comment.getContent());
result.appendChild(commentContent);
}
} else {
......
frontend-js/src/test/js/map/window/AliasInfoWindow-test.js
+ 130
101
View file @ 5399b82d
......@@ -14,9 +14,9 @@ var assert = require('assert');
var logger = require('../../logger');
describe('AliasInfoWindow', function() {
describe('constructor', function() {
it("default", function() {
describe('AliasInfoWindow', function () {
describe('constructor', function () {
it("default", function () {
var map = helper.createCustomMap();
var alias = helper.createAlias();
......@@ -26,8 +26,8 @@ describe('AliasInfoWindow', function() {
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
assert.equal(alias, aliasWindow.getAlias());
......@@ -35,28 +35,28 @@ describe('AliasInfoWindow', function() {
assert.ok(aliasWindow.getContent().innerHTML.indexOf("loading") >= 0);
assert.equal(logger.getWarnings().length, 0);
});
it("loading data", function() {
it("loading data", function () {
var map = helper.createCustomMap();
map.getOverlayDataForAlias = function() {
map.getOverlayDataForAlias = function () {
return Promise.resolve([]);
};
var javaObject = {
bounds : {
x : 190,
y : 44,
width : 80,
height : 40
bounds: {
x: 190,
y: 44,
width: 80,
height: 40
},
modelId : map.getId(),
idObject : 30001
modelId: map.getId(),
idObject: 30001
};
var alias = new Alias(javaObject);
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
assert.equal(alias, aliasWindow.alias);
......@@ -65,29 +65,29 @@ describe('AliasInfoWindow', function() {
});
});
it("createOverlayInfoDiv", function() {
it("createOverlayInfoDiv", function () {
var map = helper.createCustomMap();
var oc = helper.createDrugDbOverlay(map);
var alias = helper.createAlias(map);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
oc.searchNamesByTarget = function() {
return Promise.resolve([ "xField" ]);
oc.searchNamesByTarget = function () {
return Promise.resolve(["xField"]);
};
oc.getElementsByQueryFromServer = function() {
return Promise.resolve([ new Drug({
name : "xField",
references : [],
targets : [],
}) ]);
oc.getElementsByQueryFromServer = function () {
return Promise.resolve([new Drug({
name: "xField",
references: [],
targets: [],
})]);
};
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function(data) {
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf('xField') >= 0);
......@@ -95,29 +95,29 @@ describe('AliasInfoWindow', function() {
});
it("createDrugOverlayInfoDiv", function() {
it("createDrugOverlayInfoDiv", function () {
helper.setUrl("http://test/?id=drug_target_sample");
var map, ie, aliasWindow, oc;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
oc = helper.createDrugDbOverlay(map);
ie = new IdentifiedElement({
id : 436152,
modelId : map.getId(),
type : "ALIAS"
id: 436152,
modelId: map.getId(),
type: "ALIAS"
});
return map.getModel().getByIdentifiedElement(ie, true);
}).then(function(alias) {
}).then(function (alias) {
aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(ie, true);
}).then(function(data) {
}).then(function (data) {
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf('NADH') >= 0);
......@@ -125,90 +125,119 @@ describe('AliasInfoWindow', function() {
});
});
it("createChemicalOverlayInfoDiv", function() {
it("createChemicalOverlayInfoDiv", function () {
var map, ie, aliasWindow, oc;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
oc = helper.createChemicalDbOverlay(map);
ie = new IdentifiedElement({
id : 329170,
modelId : map.getId(),
type : "ALIAS"
id: 329170,
modelId: map.getId(),
type: "ALIAS"
});
return map.getModel().getByIdentifiedElement(ie, true);
}).then(function(alias) {
}).then(function (alias) {
aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(ie, true);
}).then(function(data) {
}).then(function (data) {
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
});
});
it("createCommentOverlayInfoDiv", function() {
var map = helper.createCustomMap();
describe("createOverlayInfoDiv", function () {
it("for comment", function () {
var map = helper.createCustomMap();
var oc = helper.createCommentDbOverlay(map);
var oc = helper.createCommentDbOverlay(map);
var alias = helper.createAlias();
alias.setId(3001);
alias.setIsComplete(true);
alias.setModelId(map.getId());
map.getModel().addAlias(alias);
var alias = helper.createAlias();
alias.setId(3001);
alias.setIsComplete(true);
alias.setModelId(map.getId());
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
});
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function(data) {
var comment = helper.createComment(alias);
comment.setContent("test comment Content");
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
comment.setContent("test comment Content");
data[0] = comment;
data['__FULL__'] = null;
data[0] = comment;
data['__FULL__'] = null;
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
});
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
});
it("xss", function () {
var map = helper.createCustomMap();
var oc = helper.createCommentDbOverlay(map);
var alias = helper.createAlias(map);
alias.setId(3001);
alias.setIsComplete(true);
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
// noinspection HtmlUnknownTarget
comment.setContent("<img id=\"xss-id\" src=\"invalid/path\" onerror='alert(\"XSS test\")' />");
data[0] = comment;
data['__FULL__'] = null;
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(overlayDiv.innerHTML.indexOf("alert") === -1);
});
});
});
it("createGeneticsDiv", function() {
it("createGeneticsDiv", function () {
var map;
var overlay;
var layoutAlias;
var win;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
overlay = new LayoutData(18077, "xxx");
return overlay.init();
}).then(function() {
}).then(function () {
return overlay.getFullAliasById(overlay.getAliases()[0].getId());
}).then(function(data) {
}).then(function (data) {
layoutAlias = data;
return map.getModel().getAliasById(layoutAlias.getId());
}).then(function(alias) {
}).then(function (alias) {
win = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return win.init();
}).then(function() {
win.layoutAliases = [ layoutAlias ];
}).then(function () {
win.layoutAliases = [layoutAlias];
return win.createGenomicDiv();
}).then(function(div) {
}).then(function (div) {
assert.ok(div);
assert.ok(div.innerHTML.indexOf("No reference genome data available on minerva platform") === -1);
win.destroy();
......@@ -216,28 +245,28 @@ describe('AliasInfoWindow', function() {
});
it("createGeneticsDiv with no genetic data", function() {
it("createGeneticsDiv with no genetic data", function () {
var map;
var win;
var aliasId = 329173;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
var overlay = new LayoutData(18077, "xxx");
return overlay.init();
}).then(function() {
}).then(function () {
return map.getModel().getAliasById(aliasId);
}).then(function(alias) {
}).then(function (alias) {
win = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return win.init();
}).then(function() {
win.layoutAliases = [ undefined ];
}).then(function () {
win.layoutAliases = [undefined];
return win.createGenomicDiv();
}).then(function(div) {
}).then(function (div) {
assert.ok(div);
assert.ok(div.innerHTML.indexOf("No reference genome data available on minerva platform") === -1);
win.destroy();
......@@ -245,36 +274,36 @@ describe('AliasInfoWindow', function() {
});
it("createGeneticsDivForUnknownOrganism", function() {
it("createGeneticsDivForUnknownOrganism", function () {
var map;
var overlay;
var layoutAlias;
var win;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
project.setOrganism({
type : "TAXONOMY",
resource : "123456"
type: "TAXONOMY",
resource: "123456"
});
map = helper.createCustomMap(project);
overlay = new LayoutData(18077, "xxx");
return overlay.init();
}).then(function() {
}).then(function () {
return overlay.getFullAliasById(overlay.getAliases()[0].getId());
}).then(function(data) {
}).then(function (data) {
layoutAlias = data;
return map.getModel().getAliasById(layoutAlias.getId());
}).then(function(alias) {
}).then(function (alias) {
win = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return win.init();
}).then(function() {
win.layoutAliases = [ layoutAlias ];
}).then(function () {
win.layoutAliases = [layoutAlias];
return win.createGenomicDiv();
}).then(function(div) {
}).then(function (div) {
assert.ok(div);
assert.ok(div.innerHTML.indexOf("No reference genome data available on minerva platform") >= -1);
win.destroy();
......@@ -282,14 +311,14 @@ describe('AliasInfoWindow', function() {
});
it("createWaitingContentDiv", function() {
it("createWaitingContentDiv", function () {
var map = helper.createCustomMap();
var alias = helper.createAlias(map);
alias.setIsComplete(true);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
assert.ok(functions.isDomElement(aliasWindow.createWaitingContentDiv()));
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment