SE-2176 Fix elem not selected if id contains special chars #23039
Conversation
|
Thanks for the pull request, @swalladge! I've created OSPR-4082 to keep track of it in JIRA. JIRA is a place for product owners to prioritize feature reviews by the engineering development teams. Feel free to add as much of the following information to the ticket:
All technical communication about the code itself will still be done via the GitHub pull request interface. As a reminder, our process documentation is here. |
openedx-webhooks
added
needs triage
open-source-contribution
|
@swalladge Thank you for your contribution. Please let me know once it is ready for our review. |
| ) | ||
| def test_javascript_interpolate(self, data): | ||
| def test_javascript_escape(self, data): |
There was a problem hiding this comment.
Note that this was renamed, because previously it was the same name as the previous test, and was shadowing that test (which also turned out to be failing)...
There was a problem hiding this comment.
That does the trick! Just one request.
Note that if loading the xblock through some sandbox in not the usual way, we have had issues because the capa problem by default loads some resources through a relative url. This temporary patch to edx-platform should allow testing this PR in this context:
Turns out there is a simple, permanent fix that we should include in this PR. I've pushed it as a commit - hope you don't mind: 40237ec
|
I'm not sure about the XSS lint changes, but the fix to capa and the static asset part are working well. 👍 |
|
@natabene This is ready for edX review. :) |
|
@swalladge Thanks for letting me know! |
scripts/xsslint/xsslint/linters.py
Outdated
| # Ignores calls starting with "_.", because those are safe | ||
| regex = regex = re.compile(r"(?<!_).escape\(") | ||
| # Ensure that calls to fooescape or foo.escape are ignored; they aren't the dangerous escape functions. | ||
| regex = re.compile(r"(?:^|(?<![\w.$]))escape\(") |
There was a problem hiding this comment.
@robrap: Could you please take a look at this adjustment to the XSS linting? It seems reasonable to me, but you have a lot more context on this than I do.
samuelallan72
force-pushed
the
samuel/fix-unescaped-selector
branch
2 times, most recently
from
86def2c
to
bc1457a
Compare
There was a problem hiding this comment.
Minor comments and suggestions. Thank you for this.
No worries about leaving the utility where it is. Proper escaping and linting is hard, which is why the docs were vague to begin with regarding CSS escaping. I imagine it is a security blindspot for many people, but not sure. Hopefully we aren't popping in user-generated data in this way.
|
@swalladge Please let me know once it is ready for another look. |
There was a problem hiding this comment.
Thank you! The linting changes all look good to me.
- Maybe update the PR description and commit comment to mention that we removed the linting rule for
javascript-interpolatebecause it was deemed unnecessary.
- Also, once this lands, we should remove that rule from the docs: https://github.com/edx/edx-documentation/blame/04255d94ce4df1c7aff1fd5569d5ea4c207cfb3b/en_us/developers/source/preventing_xss/preventing_xss.rst#L1054-L1060
If the id of a `.formulaequationinput input` element contains a special character, then the selector for $preview was silently failing to match the element, because no escaping was happening. This fixes the issue by escaping the id before passing to the jQuery selector function. CSS.escape is the ideal method, but this isn't present in IE or Edge, so we use a fallback borrowed from the new jQuery.escapeSelector method.
Improve accuracy of javascript-escape linter: Previously this would match on FOOescape() and FOO.escape calls, but neither are the global escape function we are worried about. The regex probably isn't 100% accurate; there may be still false positives (javascript allows a large range of characters in identifiers, some of which may not be covered by [\w.$]). The main thing is to avoid false negatives here though - this will definitely catch any use of `escape()` or `window.escape()`. Also remove javascript-interpolate lint - this was deemed unecessary. StringUtils.interpolate is not in fact safe (it does no html escaping), so the results of this lint are misleading.
samuelallan72
force-pushed
the
samuel/fix-unescaped-selector
branch
from
8e17d04
to
fe06bc8
Compare
There was a problem hiding this comment.
Still approve, with 2 caveats:
- Fixing the Diff Quality errors. See the
diff_quality_eslinttab under the report: https://build.testeng.edx.org/job/edx-platform-quality-pipeline-pr/15631/Diff_20Quality_20Report/ - I am not planning to review the 3rd commit
Fix capa's static_url on devstack in new runtime. Hopefully someone else has that. :)
Thanks for all the linting clean-up.
|
@ormsbee Can you give this another look? |
|
@robrap thanks for your time reviewing this. diff quality errors fixed. 😄 |
|
Your PR has finished running tests. There were no failures. |
|
@swalladge 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future. |
|
Argh. I forgot to squash + merge >_< |
|
EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production. |
|
EdX Release Notice: This PR has been deployed to the production environment. |
|
Thanks @ormsbee! 😄 |
If the id of a
.formulaequationinput inputelement contains a specialcharacter, then the selector for $preview was silently failing to match
the element, because no escaping was happening.
This fixes the issue by escaping the id before passing to the jQuery
selector function. CSS.escape is the ideal method, but this isn't
present in IE or Edge, so we use a fallback borrowed from the new
jQuery.escapeSelector method. (If this is a common thing, would suggest adding a global CSS.escape polyfill instead of a local fallback)
This also fixes bugs in tests for the xsslint tool that were causing tests to fail. The
javascript-interpolatelint rule was removed altogether since it was deemed no longer necessary.JIRA tickets: OSPR-4082
Dependencies: None
Sandbox URL: TBD - sandbox is being provisioned.
Merge deadline: "None"
Testing instructions:
Reviewers
Settings