Fix XSS with display names in the user list

2017-03-01 13:08:36 +01:00 · 2017-03-01 13:08:36 +01:00 · 5797aab3f2
commit 5797aab3f2
parent 26e3971482
1 changed files with 13 additions and 10 deletions
--- a/www/common/toolbar.js
+++ b/www/common/toolbar.js
@ -207,32 +207,35 @@ define([
            var anonymous = numberOfEditUsers - editUsersNames.length;

            // Update the userlist
+            var $usersTitle = $('<h2>').text(Messages.users);
+            var $editUsers = $userButtons.find('.' + USERLIST_CLS);
+            $editUsers.html('').append($usersTitle);
+
            var editUsersList = '';
+            var $editUsersList = $('<pre>');
            if (readOnly !== 1) {
-                editUsersNames.unshift('<span class="yourself">' + Messages.yourself + '</span>');
+                $editUsers.append('<span class="yourself">' + Messages.yourself + '</span>');
                anonymous--;
            }
+            if (editUsersNames.length > 0) {
+                $editUsersList.text(editUsersNames.join('\n')); // .text() to avoid XSS
+                $editUsers.append($editUsersList);
+            }
            if (anonymous > 0) {
                var text = anonymous === 1 ? Messages.anonymousUser : Messages.anonymousUsers;
-                editUsersNames.push('<span class="anonymous">' + anonymous + ' ' + text + '</span>');
+                $editUsers.push('<span class="anonymous">' + anonymous + ' ' + text + '</span>');
            }
            if (numberOfViewUsers > 0) {
                var viewText = '<span class="viewer">';
                if (numberOfEditUsers > 0) {
-                    editUsersNames.push('');
+                    $editUsers.append('<br>');
                    viewText += Messages.and + ' ';
                }
                var viewerText = numberOfViewUsers !== 1 ? Messages.viewers : Messages.viewer;
                viewText += numberOfViewUsers + ' ' + viewerText + '</span>';
-                editUsersNames.push(viewText);
-            }
-            if (editUsersNames.length > 0) {
-                editUsersList += editUsersNames.join('<br>');
+                $editUsers.append(viewText);
            }

-            var $usersTitle = $('<h2>').text(Messages.users);
-            var $editUsers = $userButtons.find('.' + USERLIST_CLS);
-            $editUsers.html('').append($usersTitle).append(editUsersList);

            // Update the buttons
            var fa_editusers = '<span class="fa fa-users"></span>';