Escape strings we're injecting in the index.html script to prevent XSS.

bc9f0fd5 · Tom Robinson · 99b061d2 · bc9f0fd5 · bc9f0fd5
Unverified Commit bc9f0fd5 authored 8 years ago by Tom Robinson
--- a/resources/frontend_client/index_template.html
+++ b/resources/frontend_client/index_template.html
@@ -20,7 +20,6 @@
                var configuredRoot = {{{base_href}}};
                var actualRoot = "/";

-                // THIS IS PROBABLY VULNERABLE TO XSS
                // Add trailing slashes
                var backendPathname = {{{uri}}}.replace(/\/*$/, "/");
                // e.x. "/questions/"

--- a/src/metabase/routes.clj
+++ b/src/metabase/routes.clj
 (ns metabase.routes
  (:require [clojure.java.io :as io]
+            [clojure.string :as str]
            [cheshire.core :as json]
            (compojure [core :refer [context defroutes GET]]
                       [route :as route])
@@ -14,13 +15,18 @@
 (defn- base-href []
  (str (.getPath (clojure.java.io/as-url (public-settings/site-url))) "/"))

+(defn- escape-script [str]
+  "Escapes '</script' so it can be safely included in an inline <script> tag"
+  ;; https://stackoverflow.com/questions/14780858/escape-in-script-tag-contents/23983448#23983448
+  (str/replace str #"</script" "</scr\\\\ipt"))
+
 (defn- entrypoint [entry embeddable? {:keys [uri]}]
  (-> (if (init-status/complete?)
        (stencil/render-string (slurp (or (io/resource (str "frontend_client/" entry ".html"))
                                          (throw (Exception. (str "Cannot find './resources/frontend_client/" entry ".html'. Did you remember to build the Metabase frontend?")))))
-                               {:bootstrap_json (json/generate-string (public-settings/public-settings))
-                                :uri            (json/generate-string uri)
-                                :base_href      (json/generate-string (base-href))
+                               {:bootstrap_json (escape-script (json/generate-string (public-settings/public-settings)))
+                                :uri            (escape-script (json/generate-string uri))
+                                :base_href      (escape-script (json/generate-string (base-href)))
                                :embed_code     (when embeddable? (embed/head uri))})
        (slurp (io/resource "frontend_client/init.html")))
      resp/response