Remove XSS vulnerabilities through poor select2 usage (DMOJ#1398)

SchOJ · Sep 28, 2020 · 9483d28 · 9483d28
1 parent f7f0787
commit 9483d28
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 16 deletions.
diff --git a/templates/contest/ranking.html b/templates/contest/ranking.html
@@ -218,12 +218,17 @@
                     url: '{{ url('contest_user_search_select2_ajax', contest.key) }}'
                 },
                 minimumInputLength: 1,
-                escapeMarkup: function (markup) {
-                    return markup;
-                },
-                templateResult: function (data, container) {
-                    return ('<img class="user-search-image" src="' + data.gravatar_url + '" width="24" height="24">' +
-                        '<span class="' + data.display_rank + ' user-search-name">' + data.text + '</span>');
+                templateResult: function (data) {
+                    return $('<span>')
+                        .append($('<img>', {
+                            class: 'user-search-image',
+                            src: data.gravatar_url,
+                            width: 24,
+                            height: 24,
+                        }))
+                        .append($('<span>', {
+                            class: data.display_rank + ' user-search-name',
+                        }).text(data.text));
                 }
             }).on('change', function () {
                 window.location.href = url.replace('__username__', $(this).val());

diff --git a/templates/problem/submit.html b/templates/problem/submit.html
@@ -47,7 +47,7 @@
                 function formatSelection(state) {
                     if (!state.id) return state.text; // optgroup
                     var data = makeDisplayData($("option[data-id=" + state.id + "]"));
-                    return "<b>" + state.text + "</b> (" + data + ")";
+                    return $('<span>').append($('<b>').text(state.text), ' (', data, ')');
                 }
 
                 // Terrible hack, adapted from https://github.com/select2/select2/issues/4436
@@ -71,9 +71,6 @@
                 $("#id_language").select2({
                     templateResult: format,
                     templateSelection: formatSelection,
-                    escapeMarkup: function (m) {
-                        return m;
-                    },
                     resultsAdapter: customAdapter
                 });
 

diff --git a/templates/ticket/list.html b/templates/ticket/list.html
@@ -171,9 +171,6 @@
             };
 
             var user_select2 = {
-                escapeMarkup: function (markup) {
-                    return markup;
-                },
                 templateResult: function (data, container) {
                     return $('<span>')
                         .append($('<img>', {

diff --git a/templates/user/base-users.html b/templates/user/base-users.html
@@ -16,9 +16,6 @@
                     url: '{{ url('user_search_select2_ajax') }}'
                 },
                 minimumInputLength: 1,
-                escapeMarkup: function (markup) {
-                    return markup;
-                },
                 templateResult: function (data, container) {
                     return $('<span>')
                         .append($('<img>', {