CVE-2021-3857: more xss vectors patched · chaskiq/chaskiq@bffa585

Permalink

Browse files

more xss vectors patched

• Loading branch information

1 parent 1990a7a commit bffa585862b11cc05229ab3ed621d68f70ed33d0

Showing with 26 additions and 10 deletions.

1. +3 −0 SECURITY.md
2. +1 −0 app/graphql/mutations/app_users/update_app_user.rb
3. +2 −2 app/javascript/packages/components/src/components/segmentManager/index.tsx
4. +3 −1 app/javascript/packages/messenger/src/client_messenger/consentView.tsx
5. +3 −1 app/javascript/packages/messenger/src/client_messenger/conversations/appPackageBlock.tsx
6. +3 −1 app/javascript/src/layout/sidebar.tsx
7. +3 −1 app/javascript/src/pages/Dashboard.tsx
8. +7 −3 app/javascript/src/pages/Profile.tsx
9. +1 −1 app/javascript/src/pages/campaigns/editor.tsx

@@ -0,0 +1,3 @@

For security disclosures please contact me at [miguel at chaskiq.io]

thanks!

@@ -4,6 +4,7 @@ module Mutations

module AppUsers

class UpdateAppUser < Mutations::BaseMutation

field :app_user, Types::AppUserType, null: false

field :errors, Types::JsonType, null: true

argument :app_key, String, required: true

argument :options, Types::JsonType, required: true

argument :id, Integer, required: true

@@ -8,7 +8,7 @@ import Dropdown from '…/Dropdown’;

import Button, { ButtonIndigo } from '…/Button’;

import { PredicateType } from './types’;

import I18n from '…/…/…/…/…/src/shared/FakeI18n’;

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize’;

// import ClickAwayListener from ‘@material-ui/core/ClickAwayListener’

import defaultFields from '…/…/utils/defaultFields’;

@@ -178,7 +178,7 @@ export class SaveSegmentModal extends Component<SaveSegmentModalType> {

className="ml-2"

dangerouslySetInnerHTML={{

__html: I18n.t('segment_manager.save_changes_to’, {

name: this.props.segment.name,

name: escapeHTML(this.props.segment.name),

}),

}}

></span>

@@ -3,6 +3,8 @@ import styled from '@emotion/styled’;

import tw from 'twin.macro’;

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize’;

export const Wrapper = styled.div`

top: 0px;

z-index: 999999;

@@ -37,7 +39,7 @@ export default function GDPRView({ confirm, cancel, i18n, app }) {

<Title>{i18n.t(‘messenger.gdpr_title’)}</Title>

<TextContent

dangerouslySetInnerHTML={{

__html: i18n.t('messenger.gdpr’, { name: app.name }),

__html: i18n.t('messenger.gdpr’, { name: escapeHTML(app.name) }),

}}

></TextContent>

@@ -2,6 +2,8 @@ import React, { Component } from 'react’;

import { DefinitionRenderer } from '@chaskiq/components/src/components/packageBlocks/components’;

import Button from '@chaskiq/components/src/components/Button’;

import { toCamelCase } from '@chaskiq/components/src/utils/caseConverter’;

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize’;

import autolink from '…/autolink’;

import serialize from 'form-serialize’;

import { isEmpty } from 'lodash’;

@@ -196,7 +198,7 @@ export default class AppPackageBlock extends Component<

__html: this.props.i18n.t(

'messenger.conversation_block.choosen’,

{

field: item.label,

field: escapeHTML(item.label),

}

),

}}

@@ -34,6 +34,8 @@ import {

ChartsIcons,

} from '@chaskiq/components/src/components/icons’;

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize’;

import I18n from '…/shared/FakeI18n’;

import SidebarAgents from '…/pages/conversations/SidebarAgents’;

@@ -140,7 +142,7 @@ function Sidebar({

className="text-sm leading-5 text-gray-500 dark:text-gray-100 font-light"

dangerouslySetInnerHTML={{

__html: I18n.t('dashboard.hey’, {

name: app.name,

name: escapeHTML(app.name),

}),

}}

/>

@@ -11,6 +11,8 @@ import PageHeader from '@chaskiq/components/src/components/PageHeader’;

import DashboardItem from './reports/ReportItem’;

import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize’;

import {

ConversationChatIcon,

CampaignsIcon,

@@ -123,7 +125,7 @@ function Dashboard(props) {

className="text-4xl leading-2 text-gray-900 dark:text-gray-100 font-bold"

dangerouslySetInnerHTML={{

__html: I18n.t('dashboard.hey’, {

name: app.name,

name: escapeHTML(app.name),

}),

}}

/>

@@ -25,7 +25,9 @@ import {

import graphql from '@chaskiq/store/src/graphql/client’;

import DialogEditor from './conversations/DialogEditor’;

import sanitizeHtml from '@chaskiq/components/src/utils/htmlSanitize’;

import sanitizeHtml, {

escapeHTML,

} from '@chaskiq/components/src/utils/htmlSanitize’;

//require(‘sanitize-html’)

import { setCurrentSection } from '@chaskiq/store/src/actions/navigation’;

@@ -515,8 +517,10 @@ class ProfilePage extends Component<ProfilePageProps, ProfilePageState> {

<div

className="text-sm text-gray-500 truncate"

dangerouslySetInnerHTML={{

__html: sanitizeHtml(

o.lastMessage.message.htmlContent

__html: escapeHTML(

sanitizeHtml(

o.lastMessage.message.htmlContent

)

).substring(0, 250),

}}

/>

@@ -311,7 +311,7 @@ function Preview({ campaign, app }) {

{I18n.t(‘campaign.preview’)}

</h3>

<div className="mt-2 text-sm leading-5 text-yellow-700">

<p>{I18n.t(‘campaign.preview_hint’)}</p>

<p>{I18n.t('campaign.preview_hint’, { name: ‘{{name}}’ })}</p>

</div>

</div>

</div>

0 comments on commit bffa585

Please sign in to comment.