From 7e408c874ac9b84f62bd48a3a6f2b57bae866d29 Mon Sep 17 00:00:00 2001
From: sterni <sternenseemann@systemli.org>
Date: Fri, 15 Jan 2021 14:39:16 +0100
Subject: fix(panettone): escape value attr of inputs if dynamic content

I checked all :value attributes in panettone.lisp and wrapped them with
who:escape-string if its value comes from user-influenced places. Static
values or values from panettone internals are left as is.

I did not do a comprehensive check for other places where something
similar could happen though.

Fixes #92.

Change-Id: I134acc0d2f025f173588b37c19a93589365e879b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2401
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
---
 web/panettone/src/panettone.lisp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'web')

diff --git a/web/panettone/src/panettone.lisp b/web/panettone/src/panettone.lisp
index bcf215d158..aaf58bd191 100644
--- a/web/panettone/src/panettone.lisp
+++ b/web/panettone/src/panettone.lisp
@@ -147,7 +147,7 @@
       (:form
        :method :post :action "/login"
        (:input :type "hidden" :name "original-uri"
-               :value original-uri)
+               :value (who:escape-string original-uri))
        (:div
         (:label :for "username"
                 "Username")
@@ -251,7 +251,8 @@
                        :name "subject"
                        :placeholder "Subject"
                        :value (when editing
-                                (subject issue))))
+                                (who:escape-string
+                                  (subject issue)))))
 
               (:div
                (:textarea :name "body"
-- 
cgit 1.4.1