From b94d0dc0f38f791312e1ce2f6c6d761aeb92f177 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Sat, 28 Nov 2015 12:55:03 +0100
Subject: [PATCH] Escaped the html special characters in the confirmation step
 of the booking wizard for preventing direct XSS malfunction

---
 src/assets/js/frontend_book.js     | 50 ++++++++++++++++++------------
 src/assets/js/general_functions.js | 10 ++++++
 2 files changed, 41 insertions(+), 19 deletions(-)

diff --git a/src/assets/js/frontend_book.js b/src/assets/js/frontend_book.js
index 600478c2..7c07fc11 100644
--- a/src/assets/js/frontend_book.js
+++ b/src/assets/js/frontend_book.js
@@ -412,32 +412,44 @@ var FrontendBook = {
             }
         });
 
-        $('#appointment-details').html(
+
+        var html =
             '<h4>' + $('#select-service option:selected').text() + '</h4>' +
             '<p>'
-        		+ '<strong class="text-primary">'
+                + '<strong class="text-primary">'
                     + $('#select-provider option:selected').text() + '<br>'
-        			+ selectedDate + ' ' +  $('.selected-hour').text()
+                    + selectedDate + ' ' +  $('.selected-hour').text()
                     + servicePrice + ' ' + serviceCurrency
-    			+ '</strong>' +
-            '</p>'
-        );
+                + '</strong>' +
+            '</p>';
+
+        $('#appointment-details').html(html);
 
         // Customer Details
-        $('#customer-details').html(
-            '<h4>' + $('#first-name').val() + ' ' + $('#last-name').val() + '</h4>' +
+
+        var firstname = GeneralFunctions.escapeHtml($('#first-name').val()),
+            lastname = GeneralFunctions.escapeHtml($('#last-name').val()),
+            phoneNumber = GeneralFunctions.escapeHtml($('#phone-number').val()),
+            email = GeneralFunctions.escapeHtml($('#email').val()),
+            address = GeneralFunctions.escapeHtml($('#address').val()),
+            city = GeneralFunctions.escapeHtml($('#city').val()),
+            zipCode = GeneralFunctions.escapeHtml($('#zip-code').val()),
+
+        html =
+            '<h4>' + firstname + ' ' + lastname + '</h4>' +
             '<p>' +
-            	EALang['phone'] + ': ' + $('#phone-number').val() +
-            	'<br/>' +
-            	EALang['email'] + ': ' + $('#email').val() +
-            	'<br/>' +
-            	EALang['address'] + ': ' + $('#address').val() +
-            	'<br/>' +
-            	EALang['city'] + ': ' + $('#city').val() +
-            	'<br/>' +
-            	EALang['zip_code'] + ': ' + $('#zip-code').val() +
-        	'</p>'
-        );
+                EALang['phone'] + ': ' + phoneNumber +
+                '<br/>' +
+                EALang['email'] + ': ' + email +
+                '<br/>' +
+                EALang['address'] + ': ' + address +
+                '<br/>' +
+                EALang['city'] + ': ' + city +
+                '<br/>' +
+                EALang['zip_code'] + ': ' + zipCode +
+            '</p>';
+
+        $('#customer-details').html(html);
 
         // Update appointment form data for submission to server when the user confirms
         // the appointment.
diff --git a/src/assets/js/general_functions.js b/src/assets/js/general_functions.js
index 82be0c96..ad052b8b 100644
--- a/src/assets/js/general_functions.js
+++ b/src/assets/js/general_functions.js
@@ -355,5 +355,15 @@ var GeneralFunctions = {
         GeneralFunctions.displayMessageBox(GeneralFunctions.EXCEPTIONS_TITLE,
             GeneralFunctions.EXCEPTIONS_MESSAGE);
         $('#message_box').append(GeneralFunctions.exceptionsToHtml(exceptions));
+    },
+
+    /**
+     * Escape JS HTML string values for XSS prevention.
+     *
+     * @param {string} str String to be escaped.
+     * @returns {string} Returns the escaped string.
+     */
+    escapeHtml: function(str) {
+        return $('<div/>').text(str).html();
     }
 };