Invalid JSON after XSS changes about elsa HOT 1 CLOSED

I finally merged this, hopefully it's better now.

On Sat, Jan 31, 2015 at 11:25 AM, kb [email protected] wrote:

I'm experiencing the following after applying the changes to remedy XSS
found in commit 57f9ff7
57f9ff7
:

If viewing results in non-grid view, clicking on Info causes a "JSON error
parsing response: [object Object]" error in the browser, and the web log
has the following:

"
ERROR ... elsa/web/lib/View.pm (161) View::catch ...
... Invalid JSON args ...
'q' => '...b.a.s.e.6.4..b.a.s.e.6.4... ...b.a.s.e.6.4..b.a.s.e.6.4.....=='
... invalid character encountered while parsing JSON string, at character
offset ...
... at /usr/local/elsa/web/lib/Controller.pm line 1914.
... at /usr/local/elsa/web/lib/Controller.pm line 1916

"

It's breaking at line 1910, within of Controller.pm:

$decode = $self->json->decode(decode_base64($args->{q}));

The base64 encoded sData coming from the browser has a space in it.
Running the version of elsa.js before this fix has a plus sign instead.

I was able to solve my problem by adding "$args->{q} =~ s/ /+/g;" near the
top of subroutine get_log_info:
sub get_log_info {
my ($self, $args, $cb) = @_;
my $user = $args->{user};
$args->{q} =~ s/ /+/g; ### <----- NEW LINE OF CODE

my $decode;
eval {
$decode = $self->json->decode(decode_base64($args->{q}));
};

I created a pull request, but I'm not sure if it's the best solution, or
place for the solution.

—
Reply to this email directly or view it on GitHub
#5.

from elsa.