From 5b711d981f62078a3bbe37575fe54784d9955653 Mon Sep 17 00:00:00 2001
From: Hannes Mannerheim <h@nnesmannerhe.im>
Date: Sun, 18 Jan 2015 20:36:08 +0100
Subject: [PATCH] replace html special chars to stop xss

---
 js/ajax-functions.js |  3 +++
 js/dom-functions.js  |  3 ++-
 js/misc-functions.js | 40 ++++++++++++++++++++++++++++++++++++++--
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/js/ajax-functions.js b/js/ajax-functions.js
index ae47210..991ae75 100644
--- a/js/ajax-functions.js
+++ b/js/ajax-functions.js
@@ -107,6 +107,8 @@ function getFromAPI(stream, actionOnSuccess) {
 
 			data = convertEmptyObjectToEmptyArray(data);		
 
+			data = iterateRecursiveReplaceHtmlSpecialChars(data);
+
 			actionOnSuccess(data);				
 			},
 		error: function(data) {
@@ -118,6 +120,7 @@ function getFromAPI(stream, actionOnSuccess) {
 	}	
 
 
+
 /* · 
    · 
    ·   Post new link color
diff --git a/js/dom-functions.js b/js/dom-functions.js
index ba77564..3823c98 100644
--- a/js/dom-functions.js
+++ b/js/dom-functions.js
@@ -930,7 +930,7 @@ function expand_queet(q,doScrolling) {
 					getFromAPI("attachment/" + attachmentId + ".json",function(data){
 						if(data) {
 							console.log(data);
-							q.children('.queet').find('.queet-text').html($.trim(data.replace(/@<a href="/gi,'<a href="').replace(/!<a href="/gi,'<a href="').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">').replace(/&#64;<span class="vcard">/gi,'<span class="vcard">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">')));
+							q.children('.queet').find('.queet-text').html($.trim(data.replace(/@<a/gi,'<a').replace(/!<a/gi,'<a').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">').replace(/&#64;<span class="vcard">/gi,'<span class="vcard">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">')));
 							}
 						});					
 					}
@@ -1286,6 +1286,7 @@ function showConversation(qid) {
 						else { // proceed if we got a conversation_id
 							$.ajax({ url: external_base_url + '/api/statusnet/conversation/' + data.statusnet_conversation_id + ".json?count=100", type: "GET", dataType: "jsonp", success: function(data) { 				
 								var before_or_after = 'after';
+								data = iterateRecursiveReplaceHtmlSpecialChars(data);
 								$.each(data, function (key,obj) {
 									
 									// switch to append after original queet
diff --git a/js/misc-functions.js b/js/misc-functions.js
index b6f0930..94c4805 100644
--- a/js/misc-functions.js
+++ b/js/misc-functions.js
@@ -32,7 +32,42 @@
   ·   Contact h@nnesmannerhe.im if you have any questions.                      ·
   ·                                                                             · 
   · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */
-  
+
+/* · 
+   · 
+   ·   Removes HTML special chars recursively from strings in objects
+   ·   with one exception: statusnet_html found in notices
+   ·
+   ·   @param obj: the object to search and replace in
+   ·   
+   · · · · · · · · · · · · · */ 
+
+
+function iterateRecursiveReplaceHtmlSpecialChars(obj) {
+	for (var property in obj) {
+		if (obj.hasOwnProperty(property)) {
+			if (typeof obj[property] == "object") {
+				iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
+				}
+			else {
+				if(typeof obj[property] == 'string' && property != 'statusnet_html') {
+					obj[property] = replaceHtmlSpecialChars(obj[property]);
+					}
+				}
+			}
+		}
+	return obj;   
+	}
+function replaceHtmlSpecialChars(text) {
+	var map = {
+		'&': '&amp;',
+		'<': '&lt;',
+		'>': '&gt;',
+		'"': '&quot;',
+		"'": '&#039;'
+		};
+	return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+	}
 
 /* ·  
    · 
@@ -262,6 +297,7 @@ function detectRTL(s) {
 	var $queetText = $('<div>').append($streamItem.find('.queet-text').html()); // create an jquery object
 	var $a = $queetText.find('a'); $a.remove(); // remove links
 	var $vcard = $queetText.find('.vcard'); $vcard.remove(); // remove users, groups
+	var $hcard = $queetText.find('.h-card'); $hcard.remove(); // remove users, groups	
 	var $tag = $queetText.find('.tag'); $tag.remove(); // remove tags
 	if($queetText.find('.rtl').length>0) { $queetText.html($queetText.find('.rtl').html()); } // remove rtl container if there is one
 	// remove chars we're not interested in
@@ -283,7 +319,7 @@ function detectRTL(s) {
     else if ($queetText.html().length==0 && $('body').hasClass('rtl')) {
     	$streamItem.children('.stream-item').children('.queet').addClass('rtl');
     	}	    	    	    	
-	return $streamItem.html().replace(/@<a href="/gi,'<a href="').replace(/!<a href="/gi,'<a href="').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">'); // hacky way to get @#! into mention tags to stop bidirection (css sets an @ with before content method)
+	return $streamItem.html().replace(/@<a/gi,'<a').replace(/!<a/gi,'<a').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">'); // hacky way to get @#! into mention tags to stop bidirection (css sets an @ with before content method)
 	}