From 74b7428d2154147b673ca2927741d0aca8cdc2ac Mon Sep 17 00:00:00 2001
From: Daniel Pan <freeplant@gmail.com>
Date: Thu, 7 May 2015 11:45:04 +0800
Subject: [PATCH] Fix xss in formating people list in sharing dialog

---
 static/scripts/app/views/folder-perm.js |  2 +-
 static/scripts/app/views/share.js       | 22 ++++----
 static/scripts/common.js                | 69 +++++++++++++------------
 3 files changed, 48 insertions(+), 45 deletions(-)

diff --git a/static/scripts/app/views/folder-perm.js b/static/scripts/app/views/folder-perm.js
index 9693e1aca8..f60d00d57f 100644
--- a/static/scripts/app/views/folder-perm.js
+++ b/static/scripts/app/views/folder-perm.js
@@ -89,7 +89,7 @@ define([
             });
 
             // use select2 to 'user' input in 'add user perm'
-            $('[name="email"]', $add_user_perm).select2(Common.contactInputOptionsForSelect2);
+            $('[name="email"]', $add_user_perm).select2(Common.contactInputOptionsForSelect2());
 
             // use select2 to 'group' input in 'add group perm'
             var groups = app.pageOptions.groups || [],
diff --git a/static/scripts/app/views/share.js b/static/scripts/app/views/share.js
index 386338847f..ad555b317d 100644
--- a/static/scripts/app/views/share.js
+++ b/static/scripts/app/views/share.js
@@ -79,11 +79,11 @@ define([
             'submit #send-upload-link-form': 'sendUploadLink',
             'click #cancel-share-upload-link': 'cancelShareUploadLink',
             'click #delete-upload-link': 'deleteUploadLink',
-            
-            // file private share    
+
+            // file private share
             'submit #file-private-share-form': 'filePrivateShare',
 
-            // dir private share    
+            // dir private share
             'submit #dir-private-share-form': 'dirPrivateShare'
         },
 
@@ -263,7 +263,7 @@ define([
                 Common.showFormError(form_id, gettext("Please input at least an email."));
                 return false;
             };
-            
+
             var submit_btn = $('[type="submit"]', form);
             var sending_tip = $('.sending-tip', form);
             Common.disableButton(submit_btn);
@@ -315,10 +315,10 @@ define([
                 other_post_data: {
                     file_shared_link: this.download_link,
                     file_shared_name: this.obj_name,
-                    file_shared_type: this.is_dir ? 'd' : 'f' 
+                    file_shared_type: this.is_dir ? 'd' : 'f'
                 },
                 post_url: Common.getUrl({name: 'send_shared_download_link'})
-            });            
+            });
             return false;
         },
 
@@ -382,7 +382,7 @@ define([
                     shared_upload_link: this.upload_link
                 },
                 post_url: Common.getUrl({name: 'send_shared_upload_link'})
-            });            
+            });
             return false;
         },
 
@@ -409,8 +409,8 @@ define([
 
             $('[name="emails"]', form).select2($.extend({
                 width: '400px'
-            },Common.contactInputOptionsForSelect2));
-           
+            },Common.contactInputOptionsForSelect2()));
+
             form.removeClass('hide');
         },
 
@@ -458,8 +458,8 @@ define([
 
             $('[name="emails"]', form).select2($.extend({
                 width: '400px'
-            },Common.contactInputOptionsForSelect2));
-           
+            },Common.contactInputOptionsForSelect2()));
+
             var groups = app.pageOptions.groups || [];
             var g_opts = '';
             for (var i = 0, len = groups.length; i < len; i++) {
diff --git a/static/scripts/common.js b/static/scripts/common.js
index 99d263427f..e8c535e65b 100644
--- a/static/scripts/common.js
+++ b/static/scripts/common.js
@@ -477,43 +477,46 @@ define([
             });
         },
 
-        contactInputOptionsForSelect2: {
-            placeholder: gettext("Enter emails or select contacts"),
+        contactInputOptionsForSelect2: function() {
+            var _this = this;
+            return {
+                placeholder: gettext("Enter emails or select contacts"),
 
-            // with 'tags', the user can directly enter, not just select
-            // tags need `<input type="hidden" />`, not `<select>`
-            tags: function () {
-                var contacts = app.pageOptions.contacts || [];
-                var contact_list = [];
-                for (var i = 0, len = contacts.length; i < len; i++) {
-                    contact_list.push({ // 'id' & 'text' are required by the plugin
-                        "id": contacts[i].email,
-                        // for search. both name & email can be searched.
-                        // use ' '(space) to separate name & email
-                        "text": contacts[i].name + ' ' + contacts[i].email,
-                        "avatar": contacts[i].avatar,
-                        "name": contacts[i].name
-                    });
-                }
-                return contact_list;
-            },
+                // with 'tags', the user can directly enter, not just select
+                // tags need `<input type="hidden" />`, not `<select>`
+                tags: function () {
+                    var contacts = app.pageOptions.contacts || [];
+                    var contact_list = [];
+                    for (var i = 0, len = contacts.length; i < len; i++) {
+                        contact_list.push({ // 'id' & 'text' are required by the plugin
+                            "id": contacts[i].email,
+                            // for search. both name & email can be searched.
+                            // use ' '(space) to separate name & email
+                            "text": contacts[i].name + ' ' + contacts[i].email,
+                            "avatar": contacts[i].avatar,
+                            "name": contacts[i].name
+                        });
+                    }
+                    return contact_list;
+                },
 
-            tokenSeparators: [',', ' '],
+                tokenSeparators: [',', ' '],
 
-            // format items shown in the drop-down menu
-            formatResult: function(item) {
-                if (item.avatar) {
-                    return item.avatar + '<span class="text">' + item.name + '<br />' + item.id + '</span>';
-                } else {
-                    return; // if no match, show nothing
-                }
-            },
+                // format items shown in the drop-down menu
+                formatResult: function(item) {
+                    if (item.avatar) {
+                        return item.avatar + '<span class="text">' + _this.HTMLescape(item.name) + '<br />' + _this.HTMLescape(item.id) + '</span>';
+                    } else {
+                        return; // if no match, show nothing
+                    }
+                },
 
-            // format selected item shown in the input
-            formatSelection: function(item) {
-                return item.name || item.id; // if no name, show the email, i.e., when directly input, show the email
-            },
-            escapeMarkup: function(m) { return m; }
+                // format selected item shown in the input
+                formatSelection: function(item) {
+                    return _this.HTMLescape(item.name || item.id); // if no name, show the email, i.e., when directly input, show the email
+                },
+                escapeMarkup: function(m) { return m; }
+            }
         },
 
         // check if a file is an image