From 837fc8859b80c86e5959a3adb01788474a022a4d Mon Sep 17 00:00:00 2001
From: Wim Brand <fornax@fornaxian.com>
Date: Mon, 4 Dec 2017 22:00:25 +0100
Subject: [PATCH] Fix XSS vulnerability on the viewer page

---
 res/static/res/script/DetailsWindow.js |  6 +++---
 res/static/res/script/ListNavigator.js |  6 +++---
 res/static/res/script/Viewer.js        | 11 ++++++++++-
 3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/res/static/res/script/DetailsWindow.js b/res/static/res/script/DetailsWindow.js
index 512c4b8..cc61d88 100644
--- a/res/static/res/script/DetailsWindow.js
+++ b/res/static/res/script/DetailsWindow.js
@@ -11,13 +11,13 @@ var DetailsWindow = {
 	},
 	setDetails: function (file) {
 		var fileInfo = "<table>"
-			+ "<tr><td>Name<td><td>" + file.file_name + "</td></tr>"
+			+ "<tr><td>Name<td><td>" + escapeHTML(file.file_name) + "</td></tr>"
 			+ "<tr><td>Url<td><td><a href=\"/u/" + file.id + "\">Open</a></td></tr>"
-			+ "<tr><td>Mime Type<td><td>" + file.mime + "</td></tr>"
+			+ "<tr><td>Mime Type<td><td>" + escapeHTML(file.mime) + "</td></tr>"
 			+ "<tr><td>Id<td><td>" + file.id + "</td></tr>"
 			+ "<tr><td>Size<td><td class=\"bytecounter\">" + file.file_size + "</td></tr>"
 			+ "<tr><td>Upload Date<td><td>" + file.date_upload + "</td></tr>"
-			+ "<tr><td>Description<td><td>" + file.desc + "</td></tr>"
+			+ "<tr><td>Description<td><td>" + escapeHTML(file.desc) + "</td></tr>"
 			+ "</table>";
 		$("#info-fileDetails").html(fileInfo);
 	}
diff --git a/res/static/res/script/ListNavigator.js b/res/static/res/script/ListNavigator.js
index c563664..1fdf47e 100644
--- a/res/static/res/script/ListNavigator.js
+++ b/res/static/res/script/ListNavigator.js
@@ -127,9 +127,9 @@ var ListNavigator = {
 			var thumb = this.data[i].thumbnail;
 			var name = this.data[i].file_name;
 			
-			var itemHtml = name + "<br>"
+			var itemHtml = escapeHTML(name) + "<br>"
 				+ "<img src=\"" + thumb + "\" "
-				+ "class=\"listItemThumbnail lazy\" alt=\"" + name + "\"/>";
+				+ "class=\"listItemThumbnail lazy\" alt=\"" + escapeHTML(name) + "\"/>";
 			
 			navigatorItems[i].innerHTML = itemHtml;
 		}
@@ -150,7 +150,7 @@ var ListNavigator = {
 
 			var itemHtml = "<div class=\"listItem\" "
 				+ "onClick=\"ListNavigator.setItem('" + i + "')\">"
-				+ filename + "<br>"
+				+ escapeHTML(filename) + "<br>"
 			//	+ "<img src=\"/api/thumbnail/" + item.id + "\" " // Lazy Loading
 			//	+ "class=\"listItemThumbnail lazy\" alt=\"" + filename + "\"/>"
 				+ "</div>";
diff --git a/res/static/res/script/Viewer.js b/res/static/res/script/Viewer.js
index a974d4b..7cd0feb 100644
--- a/res/static/res/script/Viewer.js
+++ b/res/static/res/script/Viewer.js
@@ -42,4 +42,13 @@ var Viewer = {
 		DetailsWindow.setDetails(file);
 		Toolbar.setViews(file.views);
 	}
-};
\ No newline at end of file
+};
+
+// Against XSS attacks
+function escapeHTML(str) {
+    return String(str)
+		.replace(/&/g, '&amp;')
+		.replace(/</g, '&lt;')
+		.replace(/>/g, '&gt;')
+		.replace(/"/g, '&quot;');
+}
\ No newline at end of file

Name		" + file.file_name + "
Name		" + escapeHTML(file.file_name) + "
Url		Open
Mime Type		" + file.mime + "
Mime Type		" + escapeHTML(file.mime) + "
Id		" + file.id + "
Size		" + file.file_size + "
Upload Date		" + file.date_upload + "
Description		" + file.desc + "
Description		" + escapeHTML(file.desc) + "