From 26d33af6e2f83edfd7d88734fefdcee06a33f4dc Mon Sep 17 00:00:00 2001 From: Olav Vitters Date: Sat, 6 Jun 2009 13:54:24 +0200 Subject: [PATCH] Prevent XSS by escaping the output --- .../vote/include/step3-confirm.php | 8 ++--- .../vote/include/step4-commit.php | 2 +- foundation.gnome.org/vote/index.wml | 4 +-- foundation.gnome.org/vote/results.wml | 10 +++--- foundation.gnome.org/vote/vote.wml | 31 ++++++++++++------- foundation.gnome.org/vote/votes.wml | 16 +++++----- 6 files changed, 40 insertions(+), 31 deletions(-) diff --git a/foundation.gnome.org/vote/include/step3-confirm.php b/foundation.gnome.org/vote/include/step3-confirm.php index 73528c9..dcac8ac 100644 --- a/foundation.gnome.org/vote/include/step3-confirm.php +++ b/foundation.gnome.org/vote/include/step3-confirm.php @@ -8,7 +8,7 @@ function step3_do () { $result = "

Step 3/4 - Confirm your vote

\n"; - $result .= "

".$election["question"]."

\n"; + $result .= "

".htmlspecialchars($election["question"])."

\n"; if (count ($votes_array) >= 1) { $result .= "

You choose to vote for:

\n"; @@ -18,15 +18,15 @@ function step3_do () { $found = FALSE; foreach ($choices as $choice) { if ($choice["id"] == $vote) { - $result .= "
  • ".$choice["choice"]."
  • \n"; + $result .= "
  • ".htmlspecialchars($choice["choice"])."
  • \n"; $found = TRUE; break; } } if (!$found) { - $result .= "
  • Unknown vote: ".$vote."
  • \n"; - $error .= "There was an unkown vote: ".$vote."
    \n"; + $result .= "
  • Unknown vote: ".htmlspecialchars($vote)."
  • \n"; + $error .= "There was an unkown vote: ".htmlspecialchars($vote)."
    \n"; } } $result .= "\n"; diff --git a/foundation.gnome.org/vote/include/step4-commit.php b/foundation.gnome.org/vote/include/step4-commit.php index 317c494..208616e 100644 --- a/foundation.gnome.org/vote/include/step4-commit.php +++ b/foundation.gnome.org/vote/include/step4-commit.php @@ -95,7 +95,7 @@ function step4_do () { $result .= "

    Step 4/4 - Keep your anonymous token

    \n"; $result .= "

    Your vote has been received.

    \n"; $result .= "

    Please write this anonymous token somewhere:

    \n"; - $result .= "

    ".$anon_token."

    \n"; + $result .= "

    ".htmlspecialchars($anon_token)."

    \n"; $result .= "

    This anonymous token will enable you to verify your vote when the preliminary results will be published. Nobody, even the Membership and Elections Committee, except you knows that this token is associated with you and only you will be able to verify your vote. It is not possible to request this anonymous token later.

    \n"; return $result; diff --git a/foundation.gnome.org/vote/index.wml b/foundation.gnome.org/vote/index.wml index 9bf1a1e..77ffe8b 100644 --- a/foundation.gnome.org/vote/index.wml +++ b/foundation.gnome.org/vote/index.wml @@ -40,7 +40,7 @@ if (count ($current_elections) > 0) { @@ -57,7 +57,7 @@ if (count ($previous_elections) > 0) { diff --git a/foundation.gnome.org/vote/results.wml b/foundation.gnome.org/vote/results.wml index 2c397de..200a21b 100644 --- a/foundation.gnome.org/vote/results.wml +++ b/foundation.gnome.org/vote/results.wml @@ -47,24 +47,24 @@ if ($display && $election_id >= 0) { if (isset ($election) && $election !== FALSE) { if ($results !== FALSE) { - echo "

    Results for the ".$election["name"]."

    \n"; + echo "

    Results for the ".htmlspecialchars($election["name"])."

    \n"; } else { $error .= "The voting period for the specified ".elec_election_get_type ($election)." has closed, but the results of the election have not yet been calculated. It is not possible to see the results now.
    \n"; - echo "

    In the meantime, you can look at the list of all votes and verify that your vote is correct.

    \n"; + echo "

    In the meantime, you can look at the list of all votes and verify that your vote is correct.

    \n"; $display = FALSE; } } if ($display) { echo "
    "; - echo $results["result"]; + echo htmlspecialchars($results["result"]); echo "
    "; - echo "

    Please look at the list of all votes and verify that your vote is correct.

    \n"; + echo "

    Please look at the list of all votes and verify that your vote is correct.

    \n"; } if (isset ($error) && $error != "") { - echo "
    ".$error."
    \n";; + echo "
    ".htmlspecialchars($error)."
    \n";; echo "

    If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at elections@gnome.org.

    \n"; } diff --git a/foundation.gnome.org/vote/vote.wml b/foundation.gnome.org/vote/vote.wml index 62d37df..ae119a7 100644 --- a/foundation.gnome.org/vote/vote.wml +++ b/foundation.gnome.org/vote/vote.wml @@ -106,6 +106,15 @@ cursor: pointer; @@ -137,9 +146,9 @@ function populateList(){ foreach ($choices as $choice) { $index++; echo " listItem = document.createElement('li');\n"; - echo " listItem.setAttribute('name', 'vote" . $choice["id"] . "');\n"; + echo " listItem.setAttribute('name', 'vote" . escape_js_var($choice["id"]) . "');\n"; echo " listItem.setAttribute('onclick', 'addPreference(this)');\n"; - echo " listItemText = document.createTextNode('" . $choice["choice"] . "');\n"; + echo " listItemText = document.createTextNode('" . escape_js_var($choice["choice"]) . "');\n"; echo " listItem.appendChild(listItemText);\n"; echo " candidateList.appendChild(listItem);\n\n"; @@ -201,7 +210,7 @@ if ($step==2){ if (isset ($election) && $election !== FALSE) { - echo "

    ".$election["name"]."

    \n"; + echo "

    ".htmlspecialchars($election["name"])."

    \n"; } if ($step >= 2) { @@ -245,24 +254,24 @@ if (isset ($handle)) elec_sql_close ($handle); if (isset ($error) && $error != "") { - echo "
    ".$error."
    \n";; + echo "
    ".htmlspecialchars($error)."
    \n";; echo "

    If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at elections@gnome.org.

    \n"; } if ($step != $max_step && $step >= 1) { - echo "
    \n"; } -echo $result; +echo $result; // already HTML escaped if ($step != $max_step && $step >= 1) { if ($step > 1) { - echo " \n"; - echo " \n"; + echo " \n"; + echo " \n"; } if ($step > 2) { $index=0; @@ -272,11 +281,11 @@ if ($step != $max_step && $step >= 1) { $name = "pref".$index; $value = "vote".$vote; - echo " \n"; + echo " \n"; } } - echo " \n"; - echo " \n"; + echo " \n"; + echo " \n"; echo " \n"; echo "
    \n"; } diff --git a/foundation.gnome.org/vote/votes.wml b/foundation.gnome.org/vote/votes.wml index 5e481f2..60e6376 100644 --- a/foundation.gnome.org/vote/votes.wml +++ b/foundation.gnome.org/vote/votes.wml @@ -41,7 +41,7 @@ if ($display && $election_id >= 0) { } if (isset ($election) && $election !== FALSE) { - echo "

    Detailed votes for the ".$election["name"]."

    \n"; + echo "

    Detailed votes for the ".htmlspecialchars($election["name"])."

    \n"; } if ($display) { @@ -66,12 +66,12 @@ if ($display) { $choices_name[$choice["id"]] = $choice["choice"]; } - echo "

    Please look at the automatic results to have a summary of the votes. "; - echo "You can also download the ballots in the OpenSTV .blt file format and verify the results.

    \n"; + echo "

    Please look at the automatic results to have a summary of the votes. "; + echo "You can also download the ballots in the OpenSTV .blt file format and verify the results.

    \n"; echo "

    Please note that these results are automatically calculated and are thus not the official results.

    \n"; - echo "

    ".$election["question"]."

    \n"; + echo "

    ".htmlspecialchars($election["question"])."

    \n"; echo "\n\n"; $color = TRUE; @@ -83,7 +83,7 @@ if ($display) { $class = "colorB"; echo "\n"; - echo "\n"; + echo "\n"; echo "
    Anonymous tokenVote(s)
    ".$anon_token["anon_token"]."".htmlspecialchars($anon_token["anon_token"]).""; @@ -96,9 +96,9 @@ if ($display) { echo "
      "; foreach ($votes as $vote) { if (array_key_exists ($vote["choice_id"], $choices_name)) - echo "
    1. ".$votes["preference"]." ".$choices_name[$vote["choice_id"]]."
    2. \n"; + echo "
    3. ".htmlspecialchars($votes["preference"])." ".htmlspecialchars($choices_name[$vote["choice_id"]])."
    4. \n"; else { - echo "
    5. Unknown value (".$vote["choice_id"].")
    6. \n"; + echo "
    7. Unknown value (".htmlspecialchars($vote["choice_id"]).")
    8. \n"; $error .= "There was an unkown vote for anonymous token ".$anon_token["anon_token"].": ".$vote["choice_id"]."
      \n"; } } @@ -114,7 +114,7 @@ if ($display) { } if (isset ($error) && $error != "") { - echo "
      ".$error."
      \n";; + echo "
      ".htmlspecialchars($error)."
      \n";; echo "

      If you don't understand the error, you should probably contact the Membership and Elections Committee, which can be reached at elections@gnome.org.

      \n"; }