From 3812dd6026de724704fcb7d9bc5c876ca05882dc Mon Sep 17 00:00:00 2001 From: Jamie Peabody Date: Thu, 21 Jun 2018 14:04:36 -0700 Subject: [PATCH] patch(fix #85): fixes xss vulnerability (#86) --- package.json | 2 +- src/mergely.js | 31 +++++++++++++++++++++++-------- tests/mergely.spec.js | 31 +++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index cca5c76..31aaf4b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "mergely", - "version": "4.0.3", + "version": "4.0.4", "description": "A javascript UI for diff/merge", "directories": { "doc": "doc", diff --git a/src/mergely.js b/src/mergely.js index b87c788..2bbf274 100644 --- a/src/mergely.js +++ b/src/mergely.js @@ -686,17 +686,32 @@ jQuery.extend(Mgly.CodeMirrorDiffView.prototype, { // create the textarea and canvas elements var height = '10px'; var width = '10px'; - this.element.append(jQuery('
')); - this.element.append(jQuery('
')); - this.element.append(jQuery('
')); - this.element.append(jQuery('
')); - var rmargin = jQuery('
'); + + var splash = jQuery('
'); + var canvasLhs = jQuery(`
`); + canvasLhs.find('#lhs-margin').attr('id', `${this.id}-lhs-margin`); + var editorLhs = jQuery(`
`); + editorLhs.eq(0).attr('id', `${this.id}-editor-lhs`); + editorLhs.find('#text-lhs').attr('id', `${this.id}-lhs`); + var canvasMid = jQuery(`
`); + canvasMid.find('#mergely-canvas').attr('id', `${this.id}-mergely-canvas`); + canvasMid.find('#lhs-rhs-canvas').attr('id', `${this.id}-lhs-${this.id}-rhs-canvas`); + + this.element.append(splash); + this.element.append(canvasLhs); + this.element.append(editorLhs); + this.element.append(canvasMid); + var canvasRhs = jQuery(`
`); + canvasRhs.find('#rhs-margin').attr('id', `${this.id}-rhs-margin`); if (this.settings.rhs_margin == 'left') { - this.element.append(rmargin); + this.element.append(canvasRhs); } - this.element.append(jQuery('
')); + var editorRhs = jQuery(`
`); + editorRhs.eq(0).attr('id', `${this.id}-editor-rhs`); + editorRhs.find('#text-rhs').attr('id', `${this.id}-rhs`); + this.element.append(editorRhs); if (this.settings.rhs_margin != 'left') { - this.element.append(rmargin); + this.element.append(canvasRhs); } if (!this.settings.sidebar) { this.element.find('.mergely-margin').css({display: 'none'}); diff --git a/tests/mergely.spec.js b/tests/mergely.spec.js index 2576bbc..cf53865 100644 --- a/tests/mergely.spec.js +++ b/tests/mergely.spec.js @@ -524,5 +524,36 @@ describe('mergely', function () { done(); }); }); + + it.only('should not be vulnerable to XSS', function (done) { + function initXSS(options) { + // $('body').css({'margin': '0px'}).append("
"); + + $('body').get(0).innerHTML = "
alert(123)'>
"; + + const editor = $('#mergely'); + editor.mergely(options); + return editor; + }; + + $(document).ready(() => { + const editor = initXSS({ + height: 100, + viewport: true, + license: 'lgpl-separate-notice', + lhs: (setValue) => setValue(macbeth), + rhs: (setValue) => setValue(macbeth) + }); + const { mergely } = $('#mergely'); + // console.log('HERE', $('body').html()); + // const { mergely } = $('#mergely"'); + // expect($('#mergely').mergely('_is_change_in_view', 'lhs', {from: 10, to: 20}, { + // 'lhs-line-from': 0, + // 'lhs-line-to': 25 + // })).to.be.true; + expect($('body').find('#injected')).to.have.length(0); + done(); + }); + }); }); });