fix XSS in imported game player name/rating

oaki · Mar 31, 2016 · 64c9421 · 64c9421
1 parent 20d5278
commit 64c9421
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 5 deletions.
diff --git a/app/templating/GameHelper.scala b/app/templating/GameHelper.scala
@@ -123,7 +123,9 @@ trait GameHelper { self: I18nHelper with UserHelper with AiHelper with StringHel
     player.userId.flatMap(lightUser) match {
       case None =>
         val klass = cssClass.??(" " + _)
-        val content = player.aiLevel.fold(player.name | User.anonymous) { aiName(_, withRating) }
+        val content = escape {
+          player.aiLevel.fold(player.name | User.anonymous) { aiName(_, withRating) }
+        }
         s"""<span class="user_link$klass">$content$statusIcon</span>"""
       case Some(user) =>
         val klass = userClass(user.id, cssClass, withOnline)

diff --git a/app/views/base/layout.scala.html b/app/views/base/layout.scala.html
@@ -204,7 +204,7 @@ <h1>
     @moreJs
     @if(lang.language != "en") {
     @embedJs {
-    lichess_translations = @jsI18n();
+    lichess_translations = @jsI18n()
     }
     @momentLangTag
     }

diff --git a/modules/importer/src/main/DataForm.scala b/modules/importer/src/main/DataForm.scala
@@ -64,7 +64,7 @@ case class ImportData(pgn: String, analyse: Option[String]) {
         val date = tag(_.Date)
 
         def name(whichName: TagPicker, whichRating: TagPicker): String = tag(whichName).fold("?") { n =>
-          n + ~tag(whichRating).map(e => " (%s)" format e)
+          n + ~tag(whichRating).map(e => s" (%${e take 8})")
         }
 
         val dbGame = Game.make(

diff --git a/modules/round/src/main/JsonView.scala b/modules/round/src/main/JsonView.scala
@@ -4,6 +4,7 @@ import scala.concurrent.duration._
 import scala.math
 
 import play.api.libs.json._
+import org.apache.commons.lang3.StringEscapeUtils.escapeHtml4
 
 import lila.common.Maths.truncateAt
 import lila.common.PimpedJson._
@@ -154,7 +155,7 @@ final class JsonView(
               "spectator" -> true,
               "ai" -> player.aiLevel,
               "user" -> playerUser.map { userJsonView(_, game.perfType) },
-              "name" -> player.name,
+              "name" -> player.name.map(escapeHtml4),
               "rating" -> player.rating,
               "ratingDiff" -> player.ratingDiff,
               "provisional" -> player.provisional.option(true),
@@ -168,7 +169,7 @@ final class JsonView(
               "color" -> opponent.color.name,
               "ai" -> opponent.aiLevel,
               "user" -> opponentUser.map { userJsonView(_, game.perfType) },
-              "name" -> opponent.name,
+              "name" -> opponent.name.map(escapeHtml4),
               "rating" -> opponent.rating,
               "ratingDiff" -> opponent.ratingDiff,
               "provisional" -> opponent.provisional.option(true),