From 4e244a75bf6b352c94a21a131b1ecdcb74e6d3e3 Mon Sep 17 00:00:00 2001
From: Jan Lehnardt <jan@apache.org>
Date: Tue, 2 Nov 2010 22:16:54 +0000
Subject: Escape URL and cookie input.

git-svn-id: https://svn.apache.org/repos/asf/couchdb/branches/1.0.x@1030262 13f79535-47bb-0310-9956-ffa450edef68
---
 share/www/script/couch_test_runner.js |  7 +++++++
 share/www/script/futon.browse.js      | 17 +++++++++++------
 share/www/script/futon.format.js      |  5 ++++-
 share/www/script/futon.js             |  3 ++-
 4 files changed, 24 insertions(+), 8 deletions(-)

(limited to 'share/www/script')

diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js
index 451a454a..fbffbbb6 100644
--- a/share/www/script/couch_test_runner.js
+++ b/share/www/script/couch_test_runner.js
@@ -14,6 +14,13 @@
 
 
 function loadScript(url) {
+  // disallow loading remote URLs
+  if((url.substr(0, 7) == "http://")
+    || (url.substr(0, 2) == "//")
+    || (url.substr(0, 5) == "data:")
+    || (url.substr(0, 11) == "javsacript:")) {
+        throw "Not loading remote test scripts";
+  }
   if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
 };
 
diff --git a/share/www/script/futon.browse.js b/share/www/script/futon.browse.js
index 5f687941..65acbdeb 100644
--- a/share/www/script/futon.browse.js
+++ b/share/www/script/futon.browse.js
@@ -97,7 +97,10 @@
     // Page class for browse/database.html
     CouchDatabasePage: function() {
       var urlParts = location.search.substr(1).split("/");
-      var dbName = decodeURIComponent(urlParts.shift());
+      var dbName = decodeURIComponent(urlParts.shift())
+
+      var dbNameRegExp = new RegExp("[^a-z0-9\_\$\(\)\+\/\-]", "g");
+      dbName = dbName.replace(dbNameRegExp, "");
 
       $.futon.storage.declareWithPrefix(dbName + ".", {
         desc: {},
@@ -119,7 +122,7 @@
         if (viewName) {
           this.redirecting = true;
           location.href = "database.html?" + encodeURIComponent(dbName) +
-            "/" + viewName;
+            "/" + encodeURIComponent(viewName);
         }
       }
       var db = $.couch.db(dbName);
@@ -372,7 +375,8 @@
                 var path = $.couch.encodeDocId(doc._id) + "/_view/" +
                   encodeURIComponent(viewNames[j]);
                 var option = $(document.createElement("option"))
-                  .attr("value", path).text(viewNames[j]).appendTo(optGroup);
+                  .attr("value", path).text(encodeURIComponent(viewNames[j]))
+                  .appendTo(optGroup);
                 if (path == viewName) {
                   option[0].selected = true;
                 }
@@ -408,7 +412,7 @@
               }
               var viewCode = resp.views[localViewName];
               page.viewLanguage = resp.language || "javascript";
-              $("#language").val(page.viewLanguage);
+              $("#language").val(encodeURIComponent(page.viewLanguage));
               page.updateViewEditor(viewCode.map, viewCode.reduce || "");
               $("#viewcode button.revert, #viewcode button.save").attr("disabled", "disabled");
               page.storedViewCode = viewCode;
@@ -420,7 +424,7 @@
           page.updateViewEditor(page.storedViewCode.map,
             page.storedViewCode.reduce || "");
           page.viewLanguage = page.storedViewLanguage;
-          $("#language").val(page.viewLanguage);
+          $("#language").val(encodeURIComponent(page.viewLanguage));
           $("#viewcode button.revert, #viewcode button.save").attr("disabled", "disabled");
           page.isDirty = false;
           if (callback) callback();
@@ -504,7 +508,8 @@
                     callback({
                       docid: "Cannot save to " + data.docid +
                              " because its language is \"" + doc.language +
-                             "\", not \"" + page.viewLanguage + "\"."
+                             "\", not \"" +
+                             encodeURIComponent(page.viewLanguage) + "\"."
                     });
                     return;
                   }
diff --git a/share/www/script/futon.format.js b/share/www/script/futon.format.js
index 0d536e36..31880764 100644
--- a/share/www/script/futon.format.js
+++ b/share/www/script/futon.format.js
@@ -16,7 +16,10 @@
     escape: function(string) {
       return string.replace(/&/g, "&amp;")
                    .replace(/</g, "&lt;")
-                   .replace(/>/g, "&gt;");
+                   .replace(/>/g, "&gt;")
+                   .replace(/"/, "&quot;")
+                   .replace(/'/, "&#39;;")
+                   ;
     },
 
     // JSON pretty printing
diff --git a/share/www/script/futon.js b/share/www/script/futon.js
index 200d6ec5..c4647ed1 100644
--- a/share/www/script/futon.js
+++ b/share/www/script/futon.js
@@ -215,9 +215,10 @@ function $$(node) {
       recentDbs.sort();
       $.each(recentDbs, function(idx, name) {
         if (name) {
+          name = encodeURIComponent(name);
           $("#dbs").append("<li>" +
             "<button class='remove' title='Remove from list' value='" + name + "'></button>" +
-            "<a href='database.html?" + encodeURIComponent(name) + "' title='" + name + "'>" + name +
+            "<a href='database.html?" + name + "' title='" + name + "'>" + name +
             "</a></li>");
         }
       });
-- 
cgit v1.2.3