XSS Issues

apps/addons/tests/test_views.py

@@ -20,6 +20,7 @@ from amo.tests.test_helpers import AbuseBase, AbuseDisabledBase
 from addons import views
 from addons.models import Addon, AddonUser
 from files.models import File
+from users.helpers import users_list
 from users.models import UserProfile
 from translations.helpers import truncate
 from translations.query import order_by_translation
@@ -669,6 +670,16 @@ class TestDetailPage(test_utils.TestCase):
         doc = pq(r.content)
         eq_(0, len(doc('.avatar')))
 
+    def test_authors_xss(self):
+        name = '<script>alert(1)</script>'
+        user = UserProfile.objects.create(username='test',
+                                          display_name=name)
+
+        output = users_list([user])
+
+        assert "&lt;script&gt;alert" in output
+        assert "<script>alert" not in output
+
     def test_search_engine_works_with(self):
         """We don't display works-with info for search engines."""
         addon = Addon.objects.filter(type=amo.ADDON_SEARCH)[0]

apps/bandwagon/tests/test_views.py

@@ -283,6 +283,30 @@ class TestCRUD(test_utils.TestCase):
         eq_(r.status_code, 200)
         return r
 
+    def test_listing_xss(self):
+        c = Collection.objects.get(id=80)
+        assert self.client.login(username='clouserw@gmail.com',
+                                 password='password')
+
+        url = reverse('collections.watch', args=[c.author.username, c.slug])
+
+        user = UserProfile.objects.get(id='10482')
+        user.display_name = "<script>alert(1)</script>"
+        user.save()
+
+        r = self.client.post(url, follow=True)
+        eq_(r.status_code, 200)
+
+        qs = CollectionWatcher.objects.filter(user__username='clouserw',
+                                              collection=80)
+        eq_(qs.count(), 1)
+
+        r = self.client.get('/en-US/firefox/collections/following/',
+                            follow=True)
+
+        assert '&lt;script&gt;alert' in r.content
+        assert '<script>alert' not in r.content
+
     def test_add_fail(self):
         """
         If we input addons but fail at filling out the form, don't show

apps/devhub/templates/devhub/includes/addon_edit_basic.html

@@ -78,7 +78,9 @@
                 {{ form.categories|safe }}
                 {{ form.categories.errors|safe }}
               {% else %}
-                {{ addon.categories.all()|join(' · ')|safe }}
+                {% for i, addon in categories %}
+                  {{ ' · '|safe if i > 0 }}{{ addon|e|xssafe }}
+                {% endfor %}
               {% endif %}
             </td>
           </tr>

apps/devhub/tests/test_views.py

@@ -1088,6 +1088,33 @@ class TestEdit(test_utils.TestCase):
 
         eq_(category_ids_new, [22, 24])
 
+    def test_edit_basic_categories_xss(self):
+        category_other = Category.objects.get(id=22)
+        category_other.name = '<script>alert("test");</script>'
+        category_other.save()
+
+        data = dict(name='new name!',
+                    slug='test_slug',
+                    summary='new summary',
+                    categories=[22, 24],
+                    tags=', '.join(self.tags))
+
+        r = self.client.post(self.get_url('basic', True), data)
+
+        assert '<script>alert' not in r.content
+        assert '&lt;script&gt;alert' in r.content
+
+    def test_edit_basic_categories_other_success(self):
+        data = dict(name='new name',
+                    slug='test_slug',
+                    summary='new summary',
+                    categories=[22],  # 22 is now 'other'
+                    tags=', '.join(self.tags))
+
+        r = self.client.post(self.get_url('basic', True), data)
+
+        eq_(r.context['form'].errors, {})
+
     def test_edit_basic_categories_remove(self):
         category = Category.objects.get(id=23)
         AddonCategory(addon=self.addon, category=category).save()

apps/devhub/views.py

@@ -241,7 +241,7 @@ def edit(request, addon_id, addon):
        'addon': addon,
        'tags': addon.tags.not_blacklisted().values_list('tag_text', flat=True),
        'previews': addon.previews.all(),
-       }
+       'categories': enumerate(addon.categories.all())}
 
     return jingo.render(request, 'devhub/addons/edit.html', data)
 
@@ -521,13 +521,16 @@ def addons_section(request, addon_id, addon, section, editable=False):
         form = False
 
     tags = []
+    categories = []
 
     if section == 'basic':
         tags = addon.tags.not_blacklisted().values_list('tag_text', flat=True)
+        categories = enumerate(addon.categories.all())
 
     data = {'addon': addon,
             'form': form,
             'editable': editable,
+            'categories': categories,
             'tags': tags}
 
     return jingo.render(request,
@@ -803,6 +806,7 @@ def submit_bump(request, addon_id):
 # You can only request one of the new review tracks.
 REQUEST_REVIEW = (amo.STATUS_PUBLIC, amo.STATUS_LITE)
 
+
 @dev_required
 @post_required
 def request_review(request, addon_id, addon, status):

apps/users/tests/test_helpers.py

@@ -41,6 +41,14 @@ def test_user_link():
     eq_(user_link(None), '')
 
 
+def test_user_link_xss():
+    u = UserProfile(username='jconnor',
+                    display_name='<script>alert(1)</script>', pk=1)
+    url = reverse('users.profile', args=[1])
+    html =  "&lt;script&gt;alert(1)&lt;/script&gt;"
+    eq_(user_link(u), '<a href="%s">%s</a>' % (url, html))
+
+
 def test_users_list():
     u1 = UserProfile(username='jconnor', display_name='John Connor', pk=1)
     u2 = UserProfile(username='sconnor', display_name='Sarah Connor', pk=2)
@@ -49,6 +57,7 @@ def test_users_list():
     # handle None gracefully
     eq_(user_link(None), '')
 
+
 def test_short_users_list():
     """Test the option to shortened the users list to a certain size."""
     # short list with 'others'
@@ -61,6 +70,7 @@ def test_short_users_list():
 
 def test_user_link_unicode():
     """make sure helper won't choke on unicode input"""
-    u = UserProfile(username=u'jmüller', display_name=u'Jürgen Müller', pk=1)
+    u = UserProfile(username=u'jmüller', display_name=u'Jürgen Müller',
+                    pk=1)
     eq_(user_link(u), u'<a href="%s">Jürgen Müller</a>' %
         reverse('users.profile', args=[1]))