From ff1979e12e0b012374e2ab3712b19f87e1a92e64 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 1 Sep 2009 01:12:02 -0700
Subject: Fix XSS in tags JS

---
 modules/tag/js/tag.js                 | 10 ++++++++--
 modules/tag/views/admin_tags.html.php |  8 ++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

(limited to 'modules')

diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js
index 61ac73f4..aaae9e72 100644
--- a/modules/tag/js/tag.js
+++ b/modules/tag/js/tag.js
@@ -27,18 +27,24 @@ function closeEditInPlaceForms() {
   }
 }
 
+function str_replace(search_term, replacement, string) {
+  var temp = string.split(search_term);
+  return temp.join(replacement);
+}
+
 function editInPlace(element) {
   closeEditInPlaceForms();
 
   // create edit form
   var tag_id = $(this).attr('id').substr(5);
-  var tag_name = $(this).text();
+  var tag_name = $(this).html();
   var tag_width = $(this).width();
   $(this).parent().data("revert", $(this).parent().html());
   var form = '<form id="gRenameTagForm" method="post" class="ui-helper-clearfix" ';
   form += 'action="' + TAG_RENAME_URL.replace('__ID__', tag_id) + '">';
   form += '<input name="csrf" type="hidden" value="' + csrf_token + '" />';
-  form += '<input id="name" name="name" type="text" class="textbox" value="' + tag_name + '" />';
+  form += '<input id="name" name="name" type="text" class="textbox" value="' +
+          str_replace('"', "&quot;", tag_name) + '" />';
   form += '<input type="submit" class="submit ui-state-default ui-corner-all" value="' + save_i18n + '" i/>';
   form += '<a href="#">' + cancel_i18n + '</a>';
   form += '</form>';
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 3d805c5e..8f3693aa 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -1,9 +1,9 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script>
-  var TAG_RENAME_URL = "<?= url::site("admin/tags/rename/__ID__") ?>";
+  var TAG_RENAME_URL = <?= html::js_string(url::site("admin/tags/rename/__ID__")) ?>;
   $("document").ready(function() {
     // using JS for adding link titles to avoid running t() for each tag
-    $("#gTagAdmin .tag-name").attr("title", "<?= t("Click to edit this tag") ?>");
+    $("#gTagAdmin .tag-name").attr("title", <?= t("Click to edit this tag")->for_js() ?>);
     $("#gTagAdmin .delete-link").attr("title", $(".delete-link:first span").html());
 
     // In-place editing for tag admin
@@ -11,8 +11,8 @@
   });
   // make some values available within tag.js
   var csrf_token = "<?= $csrf ?>";
-  var save_i18n = '<?= t("save") ?>';
-  var cancel_i18n = '<?= t("cancel") ?>';
+  var save_i18n = <?= html::js_string(t("save")->for_html_attr()) ?>;
+  var cancel_i18n = <?= html::js_string(t("cancel")->for_html_attr()) ?>;
 </script>
 <div class="gBlock">
   <h2>
-- 
cgit v1.2.3