From 8b73cfc0192e0c28bcbb943378118709cf1c55ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 2 Oct 2019 14:39:25 +0200
Subject: [PATCH] Sanitize annotation context before displaying it

There's a case where we would face a Cross-Site Scripting attack. An
attacker could use the browser's developer tools to add (on their
browser) a `<code>` tag with a `<script>` tag inside in the text of the
draft version. After doing so, commenting on that text would result in
the attacker's JavaScript being executed.
---
 app/views/legislation/annotations/index.html.erb | 2 +-
 app/views/legislation/annotations/show.html.erb  | 2 +-
 spec/features/xss_spec.rb                        | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/views/legislation/annotations/index.html.erb b/app/views/legislation/annotations/index.html.erb
index 83f0e9d07..ac439a823 100644
--- a/app/views/legislation/annotations/index.html.erb
+++ b/app/views/legislation/annotations/index.html.erb
@@ -22,7 +22,7 @@
           <% end %>
         </span>
         <div class="comment-section">
-          <%= annotation.context.try(:html_safe).presence || annotation.quote %>
+          <%= sanitize(annotation.context).presence || annotation.quote %>
         </div>
         <%= link_to legislation_process_draft_version_annotation_path(@process, @draft_version, annotation) do %>
           <span class="icon-comments" aria-hidden="true"></span> <span><%= t(".comments_count", count: annotation.comments_count) %></span></a>
diff --git a/app/views/legislation/annotations/show.html.erb b/app/views/legislation/annotations/show.html.erb
index 63af27f72..f8aeeb655 100644
--- a/app/views/legislation/annotations/show.html.erb
+++ b/app/views/legislation/annotations/show.html.erb
@@ -19,7 +19,7 @@
             <div class="comment-section">
               <div class="row">
                 <div class="small-12 medium-9 column legislation-comment">
-                  <%= @annotation.context.try(:html_safe).presence || @annotation.quote %>
+                  <%= sanitize(@annotation.context).presence || @annotation.quote %>
                 </div>
                 <div class="small-12 medium-3 column legislation-comment">
                   <span class="float-right">
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
index d7b46b8d0..6a61acd55 100644
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -41,4 +41,13 @@ describe "Cross-Site Scripting protection", :js do
 
     expect(page.text).not_to be_empty
   end
+
+  scenario "annotation context" do
+    annotation = create(:legislation_annotation)
+    annotation.update_column(:context, attack_code)
+
+    visit polymorphic_hierarchy_path(annotation)
+
+    expect(page.text).not_to be_empty
+  end
 end