0.56:

- prevent a form a stored XSS in the stored audit values. Addresses GitHub issue #7. - replaced the use of the YUI compressor ant task by a call to the jar directly as the ant task seems to be incompatible with current underlying dependencies - fixed a small unrelated typo - no new features
share-extras · Jan 26, 2018 · ce73bd4 · ce73bd4
1 parent f040741
commit ce73bd4
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -174,6 +174,13 @@ Some sample screenshots with different configurations are included below :
 Changelog
 ---------
 
+0.56:
+
+    - prevent a form a stored XSS in the stored audit values. Addresses GitHub issue #7.
+    - replaced the use of the YUI compressor ant task by a call to the jar directly as the ant task seems to be incompatible with current underlying dependencies
+    - fixed a small unrelated typo
+    - no new features
+
 0.55:
 
     - switched back to using the previous, alfresco-provided, JSON parsing utility rather than JSON.parse, which is not available in all supported versions for this dashlet (issue #5).

diff --git a/build.properties b/build.properties
@@ -1,3 +1,3 @@
-build.version=0.55
+build.version=0.56
 project.name=audit-dashlet
 jar.name=${project.name}-${build.version}.jar
diff --git a/build.xml b/build.xml
@@ -69,6 +69,7 @@
     <property name="build.zip.dir" value="${build.dir}/war" />
     <property name="build.amp.dir" value="${build.dir}/amp" />
     <property name="dist.dir" value="${basedir}/dist" />
+    <property name="js.dashlet.dir" value="extras/components/dashlets" />
     <property name="amp.file.properties" value="module.properties" />
     <property name="amp.file.mappings" value="file-mapping.properties" />
 
@@ -86,7 +87,7 @@
 
     <path id="yuicompressor.classpath">
         <fileset dir="lib">
-            <include name="yuicompressor-2.4.7.jar"/>
+            <include name="yuicompressor-2.4.8-alfresco-patched.jar"/>
             <include name="yui-compressor-ant-task-0.5.jar"/>
         </fileset>
     </path>
@@ -173,10 +174,19 @@
                 <filename name="share-config-custom.xml" />
             </fileset>
         </copy>
-        <!-- Minify JS -->
-        <yuicompress fromdir="${res.dir}" todir="${build.jar.dir}/META-INF" excludes="**/*-min.js" warn="${yuicompress.warn}">
+
+        <!-- Minify JS ant task : commented out as the ant task is no longer maintained and not compatible with current underlying rhino version -->
+        <!--yuicompress fromdir="${res.dir}" todir="${build.jar.dir}/META-INF" excludes="**/*-min.js" warn="${yuicompress.warn}">
             <include name="**/*.js" />
-        </yuicompress>
+        </yuicompress-->
+
+        <!-- Minify JS by calling the compressor directly -->
+        <echo message="Calling YUI Compressor"/>
+        <java jar="${basedir}/lib/yuicompressor-2.4.8-alfresco-patched.jar" fork="true" failonerror="true">
+            <arg value="${res.dir}/${js.dashlet.dir}/audit-application.js"/>
+            <arg value="-o"/>
+            <arg value="${build.jar.dir}/META-INF/${js.dashlet.dir}/audit-application-min.js"/>
+       </java>
 
         <jar destfile="${dist.dir}/${jar.name}">
             <fileset dir="${build.jar.dir}" />
@@ -446,4 +456,4 @@
     </target>
     -->
 
-</project>
+</project>
diff --git a/...alfresco/site-webscripts/org/sharextras/components/dashlets/audit-application-data.get.js b/...alfresco/site-webscripts/org/sharextras/components/dashlets/audit-application-data.get.js
@@ -81,7 +81,11 @@ function main()
          var escaped_response = json_requoted_response.replace(/(\n|\r\n|\r)/g, " ");
          //if (logger.isLoggingEnabled()) logger.log("escaped_response:\n"+escaped_response);
 
-         var auditresponse = jsonUtils.toObject(escaped_response);
+         // prevents some form of stored XSS by preventing HTML tags from being interpreted as part of the stored audit values. addresses GitHub issue #7.
+         var xss_replacements_response = escaped_response.replace(/</g, "&lt;").replace(/\>/g, "&gt;");
+         //if (logger.isLoggingEnabled()) logger.log("xss_replacements_response:\n"+xss_replacements_response);
+
+         var auditresponse = jsonUtils.toObject(xss_replacements_response);
          model.auditresponse = auditresponse;
          model.jsonResp = result.response;
       }

diff --git a/lib/yuicompressor-2.4.7.jar b/lib/yuicompressor-2.4.7.jar
diff --git a/lib/yuicompressor-2.4.8-alfresco-patched.jar b/lib/yuicompressor-2.4.8-alfresco-patched.jar
diff --git a/source/web/extras/components/dashlets/audit-application.js b/source/web/extras/components/dashlets/audit-application.js
@@ -926,7 +926,7 @@ if (typeof Extras.dashlet == "undefined" || !Extras.dashlet)
 
                }
 
-               // all this additional highlighting work is unncessary if we're looking for negated matches,
+               // all this additional highlighting work is unnecessary if we're looking for negated matches,
                // as there will be no highlighting for those
                if (!negation_predicate_present)
                {