Commit 5399b82d authored by Piotr Gawron's avatar Piotr Gawron
Browse files

when showing user comments xss attack is prevented

parent 4a64f4d3
......@@ -43,6 +43,7 @@
"log4js": "0.6.38",
"mkdirp": "^0.5.1",
"pileup": "^0.6.8",
"request": "^2.79.0"
"request": "^2.79.0",
"xss": "^0.3.7"
}
}
"use strict";
var Promise = require("bluebird");
var xss = require("xss");
var logger = require('../../logger');
var Functions = require('../../Functions');
......@@ -258,7 +259,8 @@ AbstractInfoWindow.prototype._createCommentInfoDiv = function(overlay, data) {
result.appendChild(commentId);
result.appendChild(document.createElement("br"));
var commentContent = document.createElement("div");
commentContent.innerHTML = comment.getContent();
commentContent.innerHTML = xss(comment.getContent());
result.appendChild(commentContent);
}
} else {
......
......@@ -14,9 +14,9 @@ var assert = require('assert');
var logger = require('../../logger');
describe('AliasInfoWindow', function() {
describe('constructor', function() {
it("default", function() {
describe('AliasInfoWindow', function () {
describe('constructor', function () {
it("default", function () {
var map = helper.createCustomMap();
var alias = helper.createAlias();
......@@ -26,8 +26,8 @@ describe('AliasInfoWindow', function() {
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
assert.equal(alias, aliasWindow.getAlias());
......@@ -35,28 +35,28 @@ describe('AliasInfoWindow', function() {
assert.ok(aliasWindow.getContent().innerHTML.indexOf("loading") >= 0);
assert.equal(logger.getWarnings().length, 0);
});
it("loading data", function() {
it("loading data", function () {
var map = helper.createCustomMap();
map.getOverlayDataForAlias = function() {
map.getOverlayDataForAlias = function () {
return Promise.resolve([]);
};
var javaObject = {
bounds : {
x : 190,
y : 44,
width : 80,
height : 40
bounds: {
x: 190,
y: 44,
width: 80,
height: 40
},
modelId : map.getId(),
idObject : 30001
modelId: map.getId(),
idObject: 30001
};
var alias = new Alias(javaObject);
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
assert.equal(alias, aliasWindow.alias);
......@@ -65,29 +65,29 @@ describe('AliasInfoWindow', function() {
});
});
it("createOverlayInfoDiv", function() {
it("createOverlayInfoDiv", function () {
var map = helper.createCustomMap();
var oc = helper.createDrugDbOverlay(map);
var alias = helper.createAlias(map);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
oc.searchNamesByTarget = function() {
return Promise.resolve([ "xField" ]);
oc.searchNamesByTarget = function () {
return Promise.resolve(["xField"]);
};
oc.getElementsByQueryFromServer = function() {
return Promise.resolve([ new Drug({
name : "xField",
references : [],
targets : [],
}) ]);
oc.getElementsByQueryFromServer = function () {
return Promise.resolve([new Drug({
name: "xField",
references: [],
targets: [],
})]);
};
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function(data) {
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf('xField') >= 0);
......@@ -95,29 +95,29 @@ describe('AliasInfoWindow', function() {
});
it("createDrugOverlayInfoDiv", function() {
it("createDrugOverlayInfoDiv", function () {
helper.setUrl("http://test/?id=drug_target_sample");
var map, ie, aliasWindow, oc;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
oc = helper.createDrugDbOverlay(map);
ie = new IdentifiedElement({
id : 436152,
modelId : map.getId(),
type : "ALIAS"
id: 436152,
modelId: map.getId(),
type: "ALIAS"
});
return map.getModel().getByIdentifiedElement(ie, true);
}).then(function(alias) {
}).then(function (alias) {
aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(ie, true);
}).then(function(data) {
}).then(function (data) {
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf('NADH') >= 0);
......@@ -125,90 +125,119 @@ describe('AliasInfoWindow', function() {
});
});
it("createChemicalOverlayInfoDiv", function() {
it("createChemicalOverlayInfoDiv", function () {
var map, ie, aliasWindow, oc;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
oc = helper.createChemicalDbOverlay(map);
ie = new IdentifiedElement({
id : 329170,
modelId : map.getId(),
type : "ALIAS"
id: 329170,
modelId: map.getId(),
type: "ALIAS"
});
return map.getModel().getByIdentifiedElement(ie, true);
}).then(function(alias) {
}).then(function (alias) {
aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(ie, true);
}).then(function(data) {
}).then(function (data) {
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
});
});
it("createCommentOverlayInfoDiv", function() {
var map = helper.createCustomMap();
describe("createOverlayInfoDiv", function () {
it("for comment", function () {
var map = helper.createCustomMap();
var oc = helper.createCommentDbOverlay(map);
var oc = helper.createCommentDbOverlay(map);
var alias = helper.createAlias();
alias.setId(3001);
alias.setIsComplete(true);
alias.setModelId(map.getId());
map.getModel().addAlias(alias);
var alias = helper.createAlias();
alias.setId(3001);
alias.setIsComplete(true);
alias.setModelId(map.getId());
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
});
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function(data) {
var comment = helper.createComment(alias);
comment.setContent("test comment Content");
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
comment.setContent("test comment Content");
data[0] = comment;
data['__FULL__'] = null;
data[0] = comment;
data['__FULL__'] = null;
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
});
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
});
it("xss", function () {
var map = helper.createCustomMap();
var oc = helper.createCommentDbOverlay(map);
var alias = helper.createAlias(map);
alias.setId(3001);
alias.setIsComplete(true);
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
// noinspection HtmlUnknownTarget
comment.setContent("<img id=\"xss-id\" src=\"invalid/path\" onerror='alert(\"XSS test\")' />");
data[0] = comment;
data['__FULL__'] = null;
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(overlayDiv.innerHTML.indexOf("alert") === -1);
});
});
});
it("createGeneticsDiv", function() {
it("createGeneticsDiv", function () {
var map;
var overlay;
var layoutAlias;
var win;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
overlay = new LayoutData(18077, "xxx");
return overlay.init();
}).then(function() {
}).then(function () {
return overlay.getFullAliasById(overlay.getAliases()[0].getId());
}).then(function(data) {
}).then(function (data) {
layoutAlias = data;
return map.getModel().getAliasById(layoutAlias.getId());
}).then(function(alias) {
}).then(function (alias) {
win = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return win.init();
}).then(function() {
win.layoutAliases = [ layoutAlias ];
}).then(function () {
win.layoutAliases = [layoutAlias];
return win.createGenomicDiv();
}).then(function(div) {
}).then(function (div) {
assert.ok(div);
assert.ok(div.innerHTML.indexOf("No reference genome data available on minerva platform") === -1);
win.destroy();
......@@ -216,28 +245,28 @@ describe('AliasInfoWindow', function() {
});
it("createGeneticsDiv with no genetic data", function() {
it("createGeneticsDiv with no genetic data", function () {
var map;
var win;
var aliasId = 329173;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
map = helper.createCustomMap(project);
var overlay = new LayoutData(18077, "xxx");
return overlay.init();
}).then(function() {
}).then(function () {
return map.getModel().getAliasById(aliasId);
}).then(function(alias) {
}).then(function (alias) {
win = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return win.init();
}).then(function() {
win.layoutAliases = [ undefined ];
}).then(function () {
win.layoutAliases = [undefined];
return win.createGenomicDiv();
}).then(function(div) {
}).then(function (div) {
assert.ok(div);
assert.ok(div.innerHTML.indexOf("No reference genome data available on minerva platform") === -1);
win.destroy();
......@@ -245,36 +274,36 @@ describe('AliasInfoWindow', function() {
});
it("createGeneticsDivForUnknownOrganism", function() {
it("createGeneticsDivForUnknownOrganism", function () {
var map;
var overlay;
var layoutAlias;
var win;
return ServerConnector.getProject().then(function(project) {
return ServerConnector.getProject().then(function (project) {
project.setOrganism({
type : "TAXONOMY",
resource : "123456"
type: "TAXONOMY",
resource: "123456"
});
map = helper.createCustomMap(project);
overlay = new LayoutData(18077, "xxx");
return overlay.init();
}).then(function() {
}).then(function () {
return overlay.getFullAliasById(overlay.getAliases()[0].getId());
}).then(function(data) {
}).then(function (data) {
layoutAlias = data;
return map.getModel().getAliasById(layoutAlias.getId());
}).then(function(alias) {
}).then(function (alias) {
win = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
return win.init();
}).then(function() {
win.layoutAliases = [ layoutAlias ];
}).then(function () {
win.layoutAliases = [layoutAlias];
return win.createGenomicDiv();
}).then(function(div) {
}).then(function (div) {
assert.ok(div);
assert.ok(div.innerHTML.indexOf("No reference genome data available on minerva platform") >= -1);
win.destroy();
......@@ -282,14 +311,14 @@ describe('AliasInfoWindow', function() {
});
it("createWaitingContentDiv", function() {
it("createWaitingContentDiv", function () {
var map = helper.createCustomMap();
var alias = helper.createAlias(map);
alias.setIsComplete(true);
var aliasWindow = new AliasInfoWindow({
alias : alias,
map : map
alias: alias,
map: map
});
assert.ok(functions.isDomElement(aliasWindow.createWaitingContentDiv()));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment