Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sayuru XSS vulnerability fixes #28

Merged
merged 2 commits into from
Oct 11, 2024
Merged

Sayuru XSS vulnerability fixes #28

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cae2767
fix: Sanitize XSS IT21470004
SayuruRehan Oct 11, 2024
f99dc4e
Merge branch 'sayuru-vulnerability-fixes' of https://github.com/mrmih…
SayuruRehan Oct 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 48 additions & 28 deletions frontend/src/learner/AllCoursesList.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import React, { useState, useEffect } from "react";
import React, {useState, useEffect} from "react";
import axios from "axios";
import { Link, useNavigate } from "react-router-dom"; // Import useNavigate from react-router-dom
import {Link, useNavigate} from "react-router-dom"; // Import useNavigate from react-router-dom
import DOMPurify from "dompurify"; // Import DOMPurify for sanitization

function AllCourses() {
const [courses, setCourses] = useState([]);
Expand All @@ -18,15 +19,18 @@ function AllCourses() {
let response;
if (activeTab === "approved") {
response = await axios.get(
"http://localhost:4003/api/v1/course/getApproved"
// IT21470004 - XSS Code Level Fix
DOMPurify.sanitize("http://localhost:4003/api/v1/course/getApproved")
);
} else if (activeTab === "pending") {
response = await axios.get(
"http://localhost:4003/api/v1/course/getPending"
// IT21470004 - XSS Code Level Fix
DOMPurify.sanitize("http://localhost:4003/api/v1/course/getPending")
);
} else if (activeTab === "rejected") {
response = await axios.get(
"http://localhost:4003/api/v1/course/getRejected"
// IT21470004 - XSS Code Level Fix
DOMPurify.sanitize("http://localhost:4003/api/v1/course/getRejected")
);
}
setCourses(response.data);
Expand All @@ -41,8 +45,11 @@ function AllCourses() {
const learnerId = "123f55396a149b001f8a1234";
try {
const response = await axios.post(
`http://localhost:4002/learner/course/enroll?courseId=${courseId}`,
{ learnerId }
// IT21470004 - XSS Code Level Fix
DOMPurify.sanitize(
`http://localhost:4002/learner/course/enroll?courseId=${courseId}`
),
{learnerId}
);
console.log(response.data.message);
// Redirect to Success.js after successful enrollment
Expand All @@ -51,8 +58,6 @@ function AllCourses() {
} else {
navigate("/enroll/unsuccess");
}

response.status(400).json({ message: "Student enrolled successfully" });
} catch (error) {
console.error("Error enrolling:", error);
// Handle error
Expand All @@ -77,6 +82,7 @@ function AllCourses() {
}

return (
// IT21470004 - XSS Code Level Fixes
<div className="container mx-auto">
<h1 className="mb-6 text-3xl font-semibold">Course List</h1>
{/* Tab navigation */}
Expand Down Expand Up @@ -115,49 +121,60 @@ function AllCourses() {
>
<div className="p-6">
<h2 className="mb-2 text-xl font-semibold">
{course.CourseName}
{DOMPurify.sanitize(course.CourseName)}
</h2>
{course.preview && (
<img
src={`http://localhost:4003/${course.preview.replace(
"\\",
"/"
)}`}
src={DOMPurify.sanitize(
`http://localhost:4003/${course.preview.replace("\\", "/")}`
)}
alt="Preview"
className="w-full mb-2 rounded-md cursor-pointer"
onClick={() => handleViewDetails(course._id)}
/>
)}
{expandedCourseId === course._id && (
// IT21470004 - XSS Code Level Fixes
<div>
<p className="mb-2">Instructor: {course.instructor}</p>
<p className="mb-2">Description: {course.description}</p>
<p className="mb-2">Duration: {course.duration}</p>
<p className="mb-2">Level: {course.level}</p>
<p className="mb-2">
Instructor: {DOMPurify.sanitize(course.instructor)}
</p>
<p className="mb-2">
Description: {DOMPurify.sanitize(course.description)}
</p>
<p className="mb-2">
Duration: {DOMPurify.sanitize(course.duration)}
</p>
<p className="mb-2">
Level: {DOMPurify.sanitize(course.level)}
</p>
<p className="mb-2">Price: ${course.price}</p>
<h3 className="mb-2 text-lg font-semibold">Lessons:</h3>
<ul className="pl-6 list-disc">
{course.lessons.map((lesson, lessonIndex) => (
<li key={lessonIndex}>
<div className="mb-2">
<span className="font-semibold">Title:</span>{" "}
{lesson.title}
{DOMPurify.sanitize(lesson.title)}
</div>
<div className="mb-2">
<span className="font-semibold">Description:</span>{" "}
{lesson.description}
{DOMPurify.sanitize(lesson.description)}
</div>
</li>
))}
</ul>
<p className="mb-2">
Lecture Notes:{" "}
{course.lectureNotes && (
// IT21470004 - XSS Code Level Fixes
<a
href={`http://localhost:4003/${course.lectureNotes.replace(
"\\",
"/"
)}`}
href={DOMPurify.sanitize(
`http://localhost:4003/${course.lectureNotes.replace(
"\\",
"/"
)}`
)}
target="_blank"
rel="noopener noreferrer"
className="text-blue-500 hover:underline"
Expand All @@ -169,11 +186,14 @@ function AllCourses() {
<p className="mb-2">
Lecture Videos:{" "}
{course.lectureVideos && (
// IT21470004 - XSS Code Level Fixes
<a
href={`http://localhost:4003/${course.lectureVideos.replace(
"\\",
"/"
)}`}
href={DOMPurify.sanitize(
`http://localhost:4003/${course.lectureVideos.replace(
"\\",
"/"
)}`
)}
target="_blank"
rel="noopener noreferrer"
className="text-blue-500 hover:underline"
Expand Down