From e52d831e385a09802f3f94a865ba157d0eba4e84 Mon Sep 17 00:00:00 2001
From: Max Magorsch <arzano@gentoo.org>
Date: Mon, 20 Apr 2020 18:28:35 +0200
Subject: Escape comments before storing them in the database

Signed-off-by: Max Magorsch <arzano@gentoo.org>
---
 pkg/app/handler/cvetool/comments.go | 3 ++-
 pkg/app/handler/glsa/comments.go    | 2 +-
 web/packs/src/javascript/cvetool.js | 4 +++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/app/handler/cvetool/comments.go b/pkg/app/handler/cvetool/comments.go
index 3d76d75..1659ea7 100644
--- a/pkg/app/handler/cvetool/comments.go
+++ b/pkg/app/handler/cvetool/comments.go
@@ -8,6 +8,7 @@ import (
 	"glsamaker/pkg/models/cve"
 	"encoding/json"
 	"glsamaker/pkg/models/users"
+	"html"
 	"net/http"
 	"time"
 )
@@ -52,7 +53,7 @@ func addNewCommment(id string, user *users.User, comment string) (cve.Comment, e
 		CVEId:   id,
 		UserId:  user.Id,
 		User:    user,
-		Message: comment,
+		Message: html.EscapeString(comment),
 		Date:    time.Now(),
 	}
 
diff --git a/pkg/app/handler/glsa/comments.go b/pkg/app/handler/glsa/comments.go
index 1381984..bc626ef 100644
--- a/pkg/app/handler/glsa/comments.go
+++ b/pkg/app/handler/glsa/comments.go
@@ -91,7 +91,7 @@ func AddNewCommment(id string, user *users.User, comment string, commentType str
 		User:      user,
 		UserBadge: user.Badge,
 		Type:      commentType,
-		Message:   comment,
+		Message:   html.EscapeString(comment),
 		Date:      time.Now(),
 	}
 
diff --git a/web/packs/src/javascript/cvetool.js b/web/packs/src/javascript/cvetool.js
index b9a8272..1e483b8 100644
--- a/web/packs/src/javascript/cvetool.js
+++ b/web/packs/src/javascript/cvetool.js
@@ -339,7 +339,7 @@ function registerCommentListener(){
                 if(data != "err") {
                     var comment = JSON.parse(data);
                     var commentDate = '<small class="text-muted">' + comment.Date.split("T")[0] + ' ' + comment.Date.split("T")[1].split(".")[0] + ' UTC</small>';
-                    var newComment = '<div class="col-3 text-right mb-3"><b>' + comment.User.Name + '</b><br/>' + commentDate + '</div><div class="col-9 mb-3"><div class="card" style="background: none;"><div class="card-body">' + escape(comment.Message) + '</div></div></div>';
+                    var newComment = '<div class="col-3 text-right mb-3"><b>' + comment.User.Name + '</b><br/>' + commentDate + '</div><div class="col-9 mb-3"><div class="card" style="background: none;"><div class="card-body">' + comment.Message + '</div></div></div>';
                     $('.comments-section[data-cveid="' + cveid + '"]').append(newComment);
                 }
                 return
@@ -517,4 +517,6 @@ function updateBugInformation(cveid, bugid){
     });
 }
 
+
+
 export default {initDatatable, destroyDatatable}
-- 
cgit v1.2.3-65-gdbad