From b5c997e8a959eb9623ffff109eadfdbd752cd46a Mon Sep 17 00:00:00 2001
From: Maximilian Grundke <maximiliangrundke@googlemail.com>
Date: Wed, 16 Aug 2017 18:20:56 +0200
Subject: [PATCH] Preprocess comment text to protect from XSS attacks

---
 app/views/request_for_comments/show.html.erb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/views/request_for_comments/show.html.erb b/app/views/request_for_comments/show.html.erb
index 4907949b..96470d05 100644
--- a/app/views/request_for_comments/show.html.erb
+++ b/app/views/request_for_comments/show.html.erb
@@ -64,6 +64,8 @@
   </h5>
 </div>
 <hr>
+
+<div class="hidden sanitizer"></div>
 <!--
 do not put a carriage return in the line below. it will be present in the presentation of the source code, otherwise.
 also, all settings from the rails model needed for the editor configuration in the JavaScript are attached to the editor as data attributes here.
@@ -145,6 +147,13 @@ also, all settings from the rails model needed for the editor configuration in t
     $('.editor > .ace_gutter > .ace_gutter-layer > .ace_gutter-cell').popover('destroy');
   }
 
+  function preprocess(commentText) {
+      // sanitize comments to deal with XSS attacks:
+      commentText = $('div.sanitizer').text(commentText).html();
+      // display original line breaks:
+      return commentText.replace(/\n/g, '<br>');
+  }
+
   function setAnnotations(editor, fileid) {
     var session = editor.getSession();
 
@@ -169,7 +178,7 @@ also, all settings from the rails model needed for the editor configuration in t
         }
         var popupContent = '';
         cluster.forEach(function(comment) {
-          popupContent += '<p><b>' + comment.username + '</b>: ' + comment.text.replace(/\n/g, '<br>') + '<p>';
+          popupContent += '<p><b>' + comment.username + '</b>: ' + preprocess(comment.text) + '<p>';
         });
         var icon = $('*[data-file-id="' + fileid + '"] > .ace_gutter > .ace_gutter-layer > div:nth-child(' + (clusterRow + 1) + ')');
         icon.popover({