From 9f5fff12251acf8dbe1bf4cc74dab830ada9c4e8 Mon Sep 17 00:00:00 2001
From: bsag <bsag@a4c988fc-2ded-0310-b66e-134b36920a42>
Date: Sun, 28 Aug 2005 14:20:42 +0000
Subject: [PATCH] Added the sanitize method to all of the fields which get
 displayed on the page (context.name, project.name, project.description,
 todo.description, todo.notes, note.body). This stops harmful HTML codes being
 embedded in the page. Sanitize strips out javascript and on* attributes. The
 HTML gets rendered with the HTML entities escaped.

Incidentally, #79 does seem to be fixed now: if you enter a project or context name with a slash, the slash is escaped in the URL as %2F, so links don't break.


git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@142 a4c988fc-2ded-0310-b66e-134b36920a42
---
 tracks/app/views/context/_context_listing.rhtml | 2 +-
 tracks/app/views/context/_show_items.rhtml      | 8 ++++----
 tracks/app/views/context/list.rhtml             | 2 +-
 tracks/app/views/context/show.rhtml             | 6 +++---
 tracks/app/views/note/_notes.rhtml              | 2 +-
 tracks/app/views/note/_notes_summary.rhtml      | 2 +-
 tracks/app/views/project/_project_listing.rhtml | 2 +-
 tracks/app/views/project/_show_items.rhtml      | 8 ++++----
 tracks/app/views/project/show.rhtml             | 4 ++--
 tracks/app/views/shared/add_new_item_form.rhtml | 4 ++--
 tracks/app/views/shared/sidebar.rhtml           | 8 ++++----
 tracks/app/views/todo/_action_edit_form.rhtml   | 4 ++--
 tracks/app/views/todo/_done.rhtml               | 4 ++--
 tracks/app/views/todo/_item.rhtml               | 4 ++--
 tracks/app/views/todo/list.rhtml                | 2 +-
 15 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/tracks/app/views/context/_context_listing.rhtml b/tracks/app/views/context/_context_listing.rhtml
index f5cfa0d5..82863e6c 100644
--- a/tracks/app/views/context/_context_listing.rhtml
+++ b/tracks/app/views/context/_context_listing.rhtml
@@ -18,7 +18,7 @@
               {:action => "move_bottom", :id => context.id}, :title => "Move to bottom", :class=>"to_bottom") %>
 </div>  
 <div class="data">
-  <%= link_to( "#{context.name}", :action => "show", :name => urlize(context.name) ) %>
+  <%= link_to( sanitize("#{context.name}"), :action => "show", :name => urlize(context.name) ) %>
   <%= " (" + context.count_undone_todos("actions") + ")" %>
 </div>
 
diff --git a/tracks/app/views/context/_show_items.rhtml b/tracks/app/views/context/_show_items.rhtml
index 80f8b335..306a5959 100644
--- a/tracks/app/views/context/_show_items.rhtml
+++ b/tracks/app/views/context/_show_items.rhtml
@@ -31,13 +31,13 @@
     <%= staleness( item ) %>
   <% end %>
   <%= due_date( item.due ) %> 
-  <%= item.description %>
+  <%= sanitize(item.description) %>
   <% if item.project_id %>
     <%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
   <% end %>
   <% if item.notes? %>
   <%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
-    <%   m_notes = markdown( item.notes ) %>
+    <%   m_notes = sanitize(markdown( item.notes )) %>
     <%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
   <% end %>
   </div>
@@ -81,13 +81,13 @@
   <!-- end div.checkbox -->
   <div class="description">
   <span class="grey"><%= format_date( item.completed ) %></span>
-  <%= item.description %>
+  <%= sanitize(item.description) %>
   <% if item.project_id %>
     <%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
   <% end %>
   <% if item.notes? %>
   <%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
-    <%   m_notes = markdown( item.notes ) %>
+    <%   m_notes = sanitize(markdown( item.notes )) %>
     <%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
   <% end %>
   </div><!-- [end:description] -->
diff --git a/tracks/app/views/context/list.rhtml b/tracks/app/views/context/list.rhtml
index 3ecce4cf..4fbae559 100644
--- a/tracks/app/views/context/list.rhtml
+++ b/tracks/app/views/context/list.rhtml
@@ -33,4 +33,4 @@
   <div class="warning"><%= @flash["warning"] %></div>
 <% end %>
 
-</div><!- End of display_box -->
\ No newline at end of file
+</div><!-- End of display_box -->
\ No newline at end of file
diff --git a/tracks/app/views/context/show.rhtml b/tracks/app/views/context/show.rhtml
index 7c2f01bf..78bfc8fb 100644
--- a/tracks/app/views/context/show.rhtml
+++ b/tracks/app/views/context/show.rhtml
@@ -1,7 +1,7 @@
 <div id="display_box">
 
 <div class="contexts">
-<h2><%= @context.name %></h2>
+<h2><%= sanitize(@context.name) %></h2>
 
   <div id="next_actions">
     <% if @not_done.empty? %>
@@ -44,9 +44,9 @@
                       :html=> { :id=>'context-form-new-action', :name=>'context', :class => 'inline-form' } %>
   <%= hidden_field( "new_item", "context_id", "value" => "#{@context.id}") %>
   <label for="new_item_description">Description</label><br />                                          
-  <%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1 ) %><br />
+  <%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1) %><br />
   <label for="new_item_notes">Notes</label><br />
-  <%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2 ) %><br />
+  <%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2) %><br />
   <label for="new_item_project_id">Project</label><br />
     <select name="item[project_id]" id="item_project_id" tabindex="3">
       <option selected="selected"></option>
diff --git a/tracks/app/views/note/_notes.rhtml b/tracks/app/views/note/_notes.rhtml
index 7f447998..84311f24 100644
--- a/tracks/app/views/note/_notes.rhtml
+++ b/tracks/app/views/note/_notes.rhtml
@@ -3,7 +3,7 @@
 <h2><%= link_to("Note #{note.id.to_s}", {:action => "show", :id => note.id}, :title => "Show note #{note.id.to_s}" ) %></h2>
 
 <div id="note-<%= note.id.to_s %>">
-    <%= textilize(note.body) %>
+    <%= sanitize(textilize(note.body)) %>
 
   <div class="note_footer">
     <%= link_to_remote( image_tag("blank", :title =>"Delete this note", :class=>"delete_item"), 
diff --git a/tracks/app/views/note/_notes_summary.rhtml b/tracks/app/views/note/_notes_summary.rhtml
index b1565a51..752aa4e3 100644
--- a/tracks/app/views/note/_notes_summary.rhtml
+++ b/tracks/app/views/note/_notes_summary.rhtml
@@ -2,6 +2,6 @@
 <div class="note_wrapper">
 <%= link_to( image_tag("blank"), { :controller => "note", :action => "show", 
                                    :id => note.id}, :title => "Show note", :class => "show_notes" ) %>&nbsp;
-<%= textilize(truncate(note.body, 50, "...")) %>
+<%= sanitize(textilize(truncate(note.body, 50, "..."))) %>
 </div>
 <% note = nil -%>
diff --git a/tracks/app/views/project/_project_listing.rhtml b/tracks/app/views/project/_project_listing.rhtml
index dcb9762e..944dc0c9 100644
--- a/tracks/app/views/project/_project_listing.rhtml
+++ b/tracks/app/views/project/_project_listing.rhtml
@@ -18,7 +18,7 @@
               {:action => "move_bottom", :id => project.id}, :title => "Move to bottom", :class=>"to_bottom") %>
 </div>  
 <div class="data">
-  <%= link_to( "#{project.name}", :action => "show", :name => urlize(project.name) ) %><%= " (" + project.count_undone_todos("actions") + ")" %>
+  <%= link_to( sanitize("#{project.name}"), :action => "show", :name => urlize(project.name) ) %><%= " (" + project.count_undone_todos("actions") + ")" %>
 </div>
 <div class="buttons">
   <% if project.done == 1 -%>
diff --git a/tracks/app/views/project/_show_items.rhtml b/tracks/app/views/project/_show_items.rhtml
index 2b82331b..3b4fc9a7 100644
--- a/tracks/app/views/project/_show_items.rhtml
+++ b/tracks/app/views/project/_show_items.rhtml
@@ -32,13 +32,13 @@
   <% end %>
  
   <%= due_date( item.due ) %> 
-  <%= item.description %>
+  <%= sanitize(item.description) %>
   <% if item.context_id %>
     <%= link_to( "[C]", { :controller => "context", :action => "show", :name => urlize(item.context.name) }, :title => "View context: #{item.context.name}" ) %>
   <% end %>
   <% if item.notes? %>
   <%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
-    <%   m_notes = markdown( item.notes ) %>
+    <%   m_notes = sanitize(markdown( item.notes )) %>
     <%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
   <% end %>
   </div>
@@ -81,13 +81,13 @@
   <!-- end div.checkbox -->
   <div class="description">
   <span class="grey"><%= format_date( item.completed ) %></span>
-  <%= item.description %>
+  <%= sanitize(item.description) %>
   <% if item.project_id %>
     <%= link_to( "[C]", { :controller => "context", :action => "show", :name => urlize(item.context.name) }, :title => "View context: #{item.context.name}" ) %>
   <% end %>
   <% if item.notes? %>
   <%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
-    <%   m_notes = markdown( item.notes ) %>
+    <%   m_notes = sanitize(markdown( item.notes )) %>
     <%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
   <% end %>
   </div><!-- [end:description] -->
diff --git a/tracks/app/views/project/show.rhtml b/tracks/app/views/project/show.rhtml
index b9850d0f..1de9b12b 100644
--- a/tracks/app/views/project/show.rhtml
+++ b/tracks/app/views/project/show.rhtml
@@ -1,9 +1,9 @@
 <div id="display_box">
 
 <div class="contexts">
-<h2><%= @project.name %></h2>
+<h2><%= sanitize(@project.name) %></h2>
 <% if @project.description -%>
-  <div class="project_description"><%= @project.description %></div>
+  <div class="project_description"><%= sanitize(@project.description) %></div>
 <% end -%>
 
   <div id="next_actions">
diff --git a/tracks/app/views/shared/add_new_item_form.rhtml b/tracks/app/views/shared/add_new_item_form.rhtml
index 6d5a1655..4dfec1f4 100644
--- a/tracks/app/views/shared/add_new_item_form.rhtml
+++ b/tracks/app/views/shared/add_new_item_form.rhtml
@@ -24,10 +24,10 @@
       :html=> { :id=>'todo-form-new-action', :name=>'todo', :class => 'inline-form' }) %>
 
   <label for="new_item_description">Description</label><br />
-  <%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1 ) %><br />
+  <%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1) %><br />
 
   <label for="new_item_notes">Notes</label><br />
-  <%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2 ) %><br />
+  <%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2) %><br />
 
   <label for="new_item_context_id">Context</label><br />
   <%= collection_select( "new_item", "context_id", @contexts, "id", "name", 
diff --git a/tracks/app/views/shared/sidebar.rhtml b/tracks/app/views/shared/sidebar.rhtml
index 465d37c1..0d10af5f 100644
--- a/tracks/app/views/shared/sidebar.rhtml
+++ b/tracks/app/views/shared/sidebar.rhtml
@@ -1,7 +1,7 @@
 <h3>Active Projects:</h3>
 <ul>
   <% for project in @projects.collect { |x| x.done? ? nil:x }.compact -%>
-    <li><%= link_to( project.name, { :controller => "project", :action => "show", 
+    <li><%= link_to( sanitize(project.name), { :controller => "project", :action => "show", 
             :name => urlize(project.name) } ) + " (" + project.count_undone_todos("actions") + ")" %></li>
   <% end -%>
 </ul>
@@ -9,7 +9,7 @@
 <h3>Completed Projects:</h3>
 <ul>
   <% for project in @projects.collect { |x| x.done? ? x:nil }.compact -%>
-    <li><%= link_to( project.name, { :controller => "project", :action => "show",
+    <li><%= link_to( sanitize(project.name), { :controller => "project", :action => "show",
             :name => urlize(project.name) } ) + " (" + project.count_undone_todos("actions") + ")" %></li>
   <% end -%>
 </ul>
@@ -17,7 +17,7 @@
 <h3>Active Contexts:</h3>
 <ul>
   <% for context in @contexts.collect { |x| x.hidden? ? nil:x }.compact -%>
-  <li><%= link_to( context.name, { :controller => "context", :action => "show",
+  <li><%= link_to( sanitize(context.name), { :controller => "context", :action => "show",
           :name => urlize(context.name) } ) + " (" + context.count_undone_todos("actions") + ")" %></li>
   <% end -%>
 </ul>
@@ -25,7 +25,7 @@
 <h3>Hidden Contexts:</h3>
 <ul>
   <% for context in @contexts.collect { |x| x.hidden? ? x:nil }.compact -%>
-  <li><%= link_to( context.name, { :controller => "context", :action => "show",
+  <li><%= link_to( sanitize(context.name), { :controller => "context", :action => "show",
           :name => urlize(context.name) } ) + " (" + context.count_undone_todos("actions") + ")" %></li>
   <% end -%>
 </ul>
diff --git a/tracks/app/views/todo/_action_edit_form.rhtml b/tracks/app/views/todo/_action_edit_form.rhtml
index 35a037ec..36d2cf5d 100644
--- a/tracks/app/views/todo/_action_edit_form.rhtml
+++ b/tracks/app/views/todo/_action_edit_form.rhtml
@@ -7,11 +7,11 @@
 <table>
   <tr>
     <td class="label"><label for="item_description">Next action</label></td>
-    <td><%= text_field( "item", "description", "tabindex" => 1 ) %></td>
+    <td><%= text_field( "item", "description", "tabindex" => 1) %></td>
   </tr>
   <tr>
     <td class="label"><label for="item_notes">Notes</label></td>
-    <td><%= text_area( "item", "notes", "cols" => 20, "rows" => 5, "tabindex" => 2 ) %></td>
+    <td><%= text_area( "item", "notes", "cols" => 20, "rows" => 5, "tabindex" => 2) %></td>
   </tr>
   <tr>
     <td class="label"><label for="item_context_id">Context</label></td>
diff --git a/tracks/app/views/todo/_done.rhtml b/tracks/app/views/todo/_done.rhtml
index 2d38eab7..ee8c6c6e 100644
--- a/tracks/app/views/todo/_done.rhtml
+++ b/tracks/app/views/todo/_done.rhtml
@@ -2,7 +2,7 @@
 <% if done.completed %>
   <td valign="top"><%= image_tag( "done", :width=>"16", :height=>"16", :border=>"0") %></td>
   <td valign="top"><span class="grey"><%= format_date( done.completed ) %></span></td>
-  <td valign="top"><%= " " + done.description + " "%>
+  <td valign="top"><%= " " + sanitize(done.description) + " "%>
 
   <% if done.project_id %>
     <%= "(" + done.context['name'] + ", " + done.project['name'] + ")" %>
@@ -17,7 +17,7 @@
   <% if done.notes? %>
     <%= "<a href=\"javascript:Element.toggle('" + done.id.to_s + "')\" title=\"Show notes\">" + 
     image_tag( "notes", :width=>"10", :height=>"10", :border=>"0") + "</a>" %>
-    <%      m_notes = markdown( done.notes ) %>
+    <%      m_notes = sanitize(markdown( done.notes )) %>
     <%= "<div class=\"notes\" id=\"" + done.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
   <% end %>
   </td>
diff --git a/tracks/app/views/todo/_item.rhtml b/tracks/app/views/todo/_item.rhtml
index 64277f39..fc403599 100644
--- a/tracks/app/views/todo/_item.rhtml
+++ b/tracks/app/views/todo/_item.rhtml
@@ -15,7 +15,7 @@
     <%= staleness( item ) %>
   <% end %>
   <%= due_date( item.due ) %> 
-  <%= item.description %>
+  <%= sanitize(item.description) %>
   <% if item.project_id %>
     <%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
   <% end %>
@@ -45,7 +45,7 @@
     <!-- end div.checkbox -->
     <div class="description">
     <span class="grey"><%= format_date( item.completed ) %></span>
-    <%= item.description %>
+    <%= sanitize(item.description) %>
     <% if item.project_id %>
       <%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
     <% end %>
diff --git a/tracks/app/views/todo/list.rhtml b/tracks/app/views/todo/list.rhtml
index 95a7b8bd..e69c6891 100644
--- a/tracks/app/views/todo/list.rhtml
+++ b/tracks/app/views/todo/list.rhtml
@@ -12,7 +12,7 @@
   -%>
       <div class="contexts">
       <h2><a href="javascript:toggleSingle('c<%=@context.id%>');javascript:toggleImage('toggle_context_<%=@context.id%>')" class="refresh"><%= image_tag("collapse.png", :name=>"toggle_context_#{@context.id}", :border=>"0") %></a>
-        <%= link_to( "#{@context.name}", :controller => "context", :action => "show", :name => urlize(@context.name) )  %></h2>
+        <%= link_to( sanitize("#{@context.name}"), :controller => "context", :action => "show", :name => urlize(@context.name) )  %></h2>
 
     <div id="c<%= @context.id %>" class="next_actions">
         <%= render :partial => "item", :collection => @not_done %>