From 7f7b10aa0991ff9b50485e50f8c33657eff1f13f Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Wed, 22 Aug 2018 10:15:50 +0100
Subject: [PATCH] Sanitize display of system messages.

When showing system-messages, use default Angular sanitizer, also,
on the admin panel itself, show the verbatim text of the message.

This solves a mild Stored-XSS vulnerability whereby a user could
put `<script>` tags in a message. We don't want that, but we do want
to be able to use basic html tags.
---
 services/web/app/views/admin/index.pug                 | 4 ++--
 services/web/public/coffee/main/system-messages.coffee | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/services/web/app/views/admin/index.pug b/services/web/app/views/admin/index.pug
index 050829e9d7..0ea54cc84d 100644
--- a/services/web/app/views/admin/index.pug
+++ b/services/web/app/views/admin/index.pug
@@ -10,8 +10,8 @@ block content
 							h1 Admin Panel
 						tabset(ng-cloak)
 							tab(heading="System Messages")
-								each message in systemMessages 
-									.alert.alert-info.row-spaced !{message.content}
+								each message in systemMessages
+									.alert.alert-info.row-spaced #{message.content}
 								hr
 								form(enctype='multipart/form-data', method='post', action='/admin/messages')
 									input(name="_csrf", type="hidden", value=csrfToken)
diff --git a/services/web/public/coffee/main/system-messages.coffee b/services/web/public/coffee/main/system-messages.coffee
index b9ec129c66..a99c5deef3 100644
--- a/services/web/public/coffee/main/system-messages.coffee
+++ b/services/web/public/coffee/main/system-messages.coffee
@@ -6,8 +6,8 @@ define [
 		
 	App.controller "SystemMessageController", ($scope, $sce) ->
 		$scope.hidden = $.localStorage("systemMessage.hide.#{$scope.message._id}")
-		$scope.htmlContent = $sce.trustAsHtml $scope.message.content
+		$scope.htmlContent = $scope.message.content
 		
 		$scope.hide = () ->
 			$scope.hidden = true
-			$.localStorage("systemMessage.hide.#{$scope.message._id}", true)
\ No newline at end of file
+			$.localStorage("systemMessage.hide.#{$scope.message._id}", true)