From b94d0dc0f38f791312e1ce2f6c6d761aeb92f177 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis
Date: Sat, 28 Nov 2015 12:55:03 +0100
Subject: [PATCH] Escaped the html special characters in the confirmation step
of the booking wizard for preventing direct XSS malfunction
---
src/assets/js/frontend_book.js | 50 ++++++++++++++++++------------
src/assets/js/general_functions.js | 10 ++++++
2 files changed, 41 insertions(+), 19 deletions(-)
diff --git a/src/assets/js/frontend_book.js b/src/assets/js/frontend_book.js
index 600478c2..7c07fc11 100644
--- a/src/assets/js/frontend_book.js
+++ b/src/assets/js/frontend_book.js
@@ -412,32 +412,44 @@ var FrontendBook = {
}
});
- $('#appointment-details').html(
+
+ var html =
'' + $('#select-service option:selected').text() + '
' +
''
- + ''
+ + ''
+ $('#select-provider option:selected').text() + '
'
- + selectedDate + ' ' + $('.selected-hour').text()
+ + selectedDate + ' ' + $('.selected-hour').text()
+ servicePrice + ' ' + serviceCurrency
- + '' +
- '
'
- );
+ + '' +
+ '
';
+
+ $('#appointment-details').html(html);
// Customer Details
- $('#customer-details').html(
- '' + $('#first-name').val() + ' ' + $('#last-name').val() + '
' +
+
+ var firstname = GeneralFunctions.escapeHtml($('#first-name').val()),
+ lastname = GeneralFunctions.escapeHtml($('#last-name').val()),
+ phoneNumber = GeneralFunctions.escapeHtml($('#phone-number').val()),
+ email = GeneralFunctions.escapeHtml($('#email').val()),
+ address = GeneralFunctions.escapeHtml($('#address').val()),
+ city = GeneralFunctions.escapeHtml($('#city').val()),
+ zipCode = GeneralFunctions.escapeHtml($('#zip-code').val()),
+
+ html =
+ '' + firstname + ' ' + lastname + '
' +
'' +
- EALang['phone'] + ': ' + $('#phone-number').val() +
- '
' +
- EALang['email'] + ': ' + $('#email').val() +
- '
' +
- EALang['address'] + ': ' + $('#address').val() +
- '
' +
- EALang['city'] + ': ' + $('#city').val() +
- '
' +
- EALang['zip_code'] + ': ' + $('#zip-code').val() +
- '
'
- );
+ EALang['phone'] + ': ' + phoneNumber +
+ '
' +
+ EALang['email'] + ': ' + email +
+ '
' +
+ EALang['address'] + ': ' + address +
+ '
' +
+ EALang['city'] + ': ' + city +
+ '
' +
+ EALang['zip_code'] + ': ' + zipCode +
+ '';
+
+ $('#customer-details').html(html);
// Update appointment form data for submission to server when the user confirms
// the appointment.
diff --git a/src/assets/js/general_functions.js b/src/assets/js/general_functions.js
index 82be0c96..ad052b8b 100644
--- a/src/assets/js/general_functions.js
+++ b/src/assets/js/general_functions.js
@@ -355,5 +355,15 @@ var GeneralFunctions = {
GeneralFunctions.displayMessageBox(GeneralFunctions.EXCEPTIONS_TITLE,
GeneralFunctions.EXCEPTIONS_MESSAGE);
$('#message_box').append(GeneralFunctions.exceptionsToHtml(exceptions));
+ },
+
+ /**
+ * Escape JS HTML string values for XSS prevention.
+ *
+ * @param {string} str String to be escaped.
+ * @returns {string} Returns the escaped string.
+ */
+ escapeHtml: function(str) {
+ return $('').text(str).html();
}
};