From f0dac5ff074ad686fa71ea663c8ead107bd3041e Mon Sep 17 00:00:00 2001 From: Art Cancro Date: Fri, 15 Sep 2023 22:04:27 -0400 Subject: [PATCH] webcit: sanitize instant messages against XSS type stuff --- webcit/paging.c | 62 ++++++++++++---------------- webcit/static/instant_messenger.html | 3 ++ 2 files changed, 29 insertions(+), 36 deletions(-) diff --git a/webcit/paging.c b/webcit/paging.c index 4b3dc217a..f022c48bc 100644 --- a/webcit/paging.c +++ b/webcit/paging.c @@ -1,24 +1,19 @@ -/* - * This module handles instant message related functions. - * - * Copyright (c) 1996-2012 by the citadel.org team - * - * This program is open source software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License, version 3. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - */ +// This module handles instant message related functions. +// +// Copyright (c) 1996-2023 by the citadel.org team +// +// This program is open source software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License, version 3. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. #include "webcit.h" -/* - * display the form for paging (x-messaging) another user - */ -void display_page(void) -{ +// display the form for paging (x-messaging) another user +void display_page(void) { char recp[SIZ]; strcpy(recp, bstr("recp")); @@ -64,11 +59,9 @@ void display_page(void) wDumpContent(1); } -/* - * page another user - */ -void page_user(void) -{ + +// page another user +void page_user(void) { char recp[256]; StrBuf *Line; @@ -76,7 +69,8 @@ void page_user(void) if (!havebstr("send_button")) { AppendImportantMessage(_("Message was not sent."), -1); - } else { + } + else { Line = NewStrBuf(); serv_printf("SEXP %s|-", recp); StrBuf_ServGetln(Line); @@ -94,19 +88,15 @@ void page_user(void) } - -/* - * display page popup - * If there are instant messages waiting, and we notice that we haven't checked them in - * a while, it probably means that we need to open the instant messenger window. - */ -int Conditional_PAGE_WAITING(StrBuf *Target, WCTemplputParams *TP) -{ +// display page popup +// If there are instant messages waiting, and we notice that we haven't checked them in +// a while, it probably means that we need to open the instant messenger window. +int Conditional_PAGE_WAITING(StrBuf *Target, WCTemplputParams *TP) { int len; char buf[SIZ]; - /** JavaScript function to alert the user that popups are probably blocked */ - /** First, do the check as part of our page load. */ + // JavaScript function to alert the user that popups are probably blocked + // First, do the check as part of our page load. serv_puts("NOOP"); len = serv_getln(buf, sizeof buf); if ((len >= 3) && (buf[3] == '*')) { @@ -115,7 +105,7 @@ int Conditional_PAGE_WAITING(StrBuf *Target, WCTemplputParams *TP) } } return 0; - /* Then schedule it to happen again a minute from now if the user is idle. */ + // Then schedule it to happen again a minute from now if the user is idle. } @@ -133,7 +123,7 @@ void ajax_send_instant_message(void) { serv_puts("000"); } - escputs(buf); /* doesn't really matter what we return - the client ignores it */ + escputs(buf); // doesn't really matter what we return - the client ignores it } diff --git a/webcit/static/instant_messenger.html b/webcit/static/instant_messenger.html index 59f9981d4..67b3604a3 100644 --- a/webcit/static/instant_messenger.html +++ b/webcit/static/instant_messenger.html @@ -102,6 +102,9 @@ function ShowNewMsg(gexp_xmlresponse) { result = gexp_response.substring(0, breakpos-1); the_message = gexp_response.substring(breakpos+1); the_message = the_message.substring(0, the_message.indexOf('\n000')); + the_message = the_message.replaceAll("<", "<"); + the_message = the_message.replaceAll(">", ">"); + the_message = the_message.replaceAll("&", "&"); sender = extract_token(result.substring(4), 3, '|'); // Figure out which div to write it to... -- 2.30.2