Merge branch 'editor_xss_vulnerability' into dev

2024-11-28 09:24:24 +01:00 · 2021-10-04 09:31:34 +02:00 · 2021-10-04 09:31:34 +02:00 · 3769afe431
commit 3769afe431
parent 94634ed825 a910e8999b
3 changed files with 12 additions and 7 deletions
--- a/app/frontend/src/javascript/controllers/projects.js
+++ b/app/frontend/src/javascript/controllers/projects.js
@ -22,6 +22,7 @@
 * in the various projects' admin controllers.
 *
 * Provides :
+ *  - $scope.summernoteOptsProject
 *  - $scope.totalSteps
 *  - $scope.machines = [{Machine}]
 *  - $scope.components = [{Component}]
@ -42,7 +43,11 @@
 *  - $state (Ui-Router) [ 'app.public.projects_show', 'app.public.projects_list' ]
 */
 class ProjectsController {
-  constructor ($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t) {
+  constructor ($rootScope, $scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t) {
+    // remove codeview from summernote editor
+    $scope.summernoteOptsProject = angular.copy($rootScope.summernoteOpts);
+    $scope.summernoteOptsProject.toolbar[6][1].splice(1, 1);
+
    // Retrieve the list of machines from the server
    Machine.query().$promise.then(function (data) {
      $scope.machines = data.map(function (d) {
@ -449,8 +454,8 @@ Application.Controllers.controller('ProjectsController', ['$scope', '$state', 'P
 /**
 * Controller used in the project creation page
 */
-Application.Controllers.controller('NewProjectController', ['$scope', '$state', 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'Diacritics', 'dialogs', 'allowedExtensions', '_t',
-  function ($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, Diacritics, dialogs, allowedExtensions, _t) {
+Application.Controllers.controller('NewProjectController', ['$rootScope', '$scope', '$state', 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'Diacritics', 'dialogs', 'allowedExtensions', '_t',
+  function ($rootScope, $scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, Diacritics, dialogs, allowedExtensions, _t) {
    CSRF.setMetaTags();

    // API URL where the form will be posted
@ -468,7 +473,7 @@ Application.Controllers.controller('NewProjectController', ['$scope', '$state',
    $scope.matchingMembers = [];

    // Using the ProjectsController
-    return new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t);
+    return new ProjectsController($rootScope, $scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t);
  }
 ]);

@ -509,7 +514,7 @@ Application.Controllers.controller('EditProjectController', ['$rootScope', '$sco
      }

      // Using the ProjectsController
-      return new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t);
+      return new ProjectsController($rootScope, $scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t);
    };

    // !!! MUST BE CALLED AT THE END of the controller
--- a/app/frontend/src/javascript/filters/filters.js
+++ b/app/frontend/src/javascript/filters/filters.js
@ -166,7 +166,7 @@ Application.Filters.filter('simpleText', [function () {
 }]);

 Application.Filters.filter('toTrusted', ['$sce', function ($sce) {
-  return text => $sce.trustAsHtml(text);
+  return text => $sce.getTrustedHtml(text);
 }]);

 Application.Filters.filter('planIntervalFilter', [function () {
--- a/app/frontend/templates/projects/_form.html
+++ b/app/frontend/templates/projects/_form.html
@ -71,7 +71,7 @@
        <label for="description" class="col-sm-2 control-label">{{ 'app.shared.project.description' | translate }} *</label>
        <div class="col-sm-10">
          <input type="hidden" name="project[description]" ng-value="project.description" />
-          <summernote ng-model="project.description" id="project_description" placeholder="" config="summernoteOpts" name="project[description]" required></summernote>
+          <summernote ng-model="project.description" id="project_description" placeholder="" config="summernoteOptsProject" name="project[description]" required></summernote>
          <span class="help-block" ng-show="projectForm['project[description]'].$dirty && projectForm['project[description]'].$error.required" translate>{{ 'app.shared.project.description_is_required' }}</span>
        </div>
      </div>