Escaped the html special characters in the confirmation step of the booking wizard for preventing direct XSS malfunction

2015-11-28 12:55:03 +01:00 · 2015-11-28 12:55:03 +01:00 · b94d0dc0f3
commit b94d0dc0f3
parent 644ada0db5
2 changed files with 41 additions and 19 deletions
--- a/src/assets/js/frontend_book.js
+++ b/src/assets/js/frontend_book.js
@ -412,32 +412,44 @@ var FrontendBook = {
            }
        });

-        $('#appointment-details').html(
+
+        var html =
            '<h4>' + $('#select-service option:selected').text() + '</h4>' +
            '<p>'
-        		+ '<strong class="text-primary">'
+                + '<strong class="text-primary">'
                    + $('#select-provider option:selected').text() + '<br>'
-        			+ selectedDate + ' ' +  $('.selected-hour').text()
+                    + selectedDate + ' ' +  $('.selected-hour').text()
                    + servicePrice + ' ' + serviceCurrency
-    			+ '</strong>' +
-            '</p>'
-        );
+                + '</strong>' +
+            '</p>';
+
+        $('#appointment-details').html(html);

        // Customer Details
-        $('#customer-details').html(
-            '<h4>' + $('#first-name').val() + ' ' + $('#last-name').val() + '</h4>' +
+
+        var firstname = GeneralFunctions.escapeHtml($('#first-name').val()),
+            lastname = GeneralFunctions.escapeHtml($('#last-name').val()),
+            phoneNumber = GeneralFunctions.escapeHtml($('#phone-number').val()),
+            email = GeneralFunctions.escapeHtml($('#email').val()),
+            address = GeneralFunctions.escapeHtml($('#address').val()),
+            city = GeneralFunctions.escapeHtml($('#city').val()),
+            zipCode = GeneralFunctions.escapeHtml($('#zip-code').val()),
+
+        html =
+            '<h4>' + firstname + ' ' + lastname + '</h4>' +
            '<p>' +
-            	EALang['phone'] + ': ' + $('#phone-number').val() +
-            	'<br/>' +
-            	EALang['email'] + ': ' + $('#email').val() +
-            	'<br/>' +
-            	EALang['address'] + ': ' + $('#address').val() +
-            	'<br/>' +
-            	EALang['city'] + ': ' + $('#city').val() +
-            	'<br/>' +
-            	EALang['zip_code'] + ': ' + $('#zip-code').val() +
-        	'</p>'
-        );
+                EALang['phone'] + ': ' + phoneNumber +
+                '<br/>' +
+                EALang['email'] + ': ' + email +
+                '<br/>' +
+                EALang['address'] + ': ' + address +
+                '<br/>' +
+                EALang['city'] + ': ' + city +
+                '<br/>' +
+                EALang['zip_code'] + ': ' + zipCode +
+            '</p>';
+
+        $('#customer-details').html(html);

        // Update appointment form data for submission to server when the user confirms
        // the appointment.
--- a/src/assets/js/general_functions.js
+++ b/src/assets/js/general_functions.js
@ -355,5 +355,15 @@ var GeneralFunctions = {
        GeneralFunctions.displayMessageBox(GeneralFunctions.EXCEPTIONS_TITLE,
            GeneralFunctions.EXCEPTIONS_MESSAGE);
        $('#message_box').append(GeneralFunctions.exceptionsToHtml(exceptions));
+    },
+
+    /**
+     * Escape JS HTML string values for XSS prevention.
+     *
+     * @param {string} str String to be escaped.
+     * @returns {string} Returns the escaped string.
+     */
+    escapeHtml: function(str) {
+        return $('<div/>').text(str).html();
    }
 };