Merge pull request #1296 from dod-ccpo/bugfix/clin-title-xss

Remove an XSS vulnerability in CLIN title form input
2020-01-08 14:07:48 -05:00 · 2020-01-08 14:07:48 -05:00 · 29194a83e1
commit 29194a83e1
parent b1d4d62533 c02bb8518e
3 changed files with 43 additions and 1 deletions
--- a/js/components/clin_fields.js
+++ b/js/components/clin_fields.js
@ -1,4 +1,5 @@
 import { emitFieldChange } from '../lib/emitters'
+import escape from '../lib/escape'
 import optionsinput from './options_input'
 import textinput from './text_input'
 import clindollaramount from './clin_dollar_amount'
@ -99,7 +100,7 @@ export default {
  computed: {
    clinTitle: function() {
      if (!!this.clinNumber) {
-        return `CLIN ${this.clinNumber}`
+        return escape(`CLIN ${this.clinNumber}`)
      } else {
        return `CLIN`
      }
--- a/js/lib/tests/escape.test.js
+++ b/js/lib/tests/escape.test.js
@ -0,0 +1,21 @@
+import escape from '../escape'
+describe('escape', () => {
+  const htmlEscapes = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;',
+    '/': '&#x2F;',
+  }
+  it('should escape each character', () => {
+    for (let [char, escapedChar] of Object.entries(htmlEscapes)) {
+      expect(escape(char)).toBe(escapedChar)
+    }
+  })
+  it('should escape multiple characters', () => {
+    expect(escape('& and < and > and " and \' and /')).toBe(
+      '&amp; and &lt; and &gt; and &quot; and &#x27; and &#x2F;'
+    )
+  })
+})
--- a/js/lib/escape.js
+++ b/js/lib/escape.js
@ -0,0 +1,20 @@
+// https://stackoverflow.com/a/6020820
+
+// List of HTML entities for escaping.
+const htmlEscapes = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#x27;',
+  '/': '&#x2F;',
+}
+
+const htmlEscaper = /[&<>"'\/]/g
+
+// Escape a string for HTML interpolation.
+const escape = string => {
+  return ('' + string).replace(htmlEscaper, match => htmlEscapes[match])
+}
+
+export default escape