Headline
CVE-2016-15008: fixed XSS injection vulns on channel.php · oxguy3/coebot-www@c1a6c44
A vulnerability was found in oxguy3 coebot-www and classified as problematic. This issue affects the function displayChannelCommands/displayChannelQuotes/displayChannelAutoreplies/showChannelHighlights/showChannelBoir of the file js/channel.js. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is c1a6c44092585da4236237e0e7da94ee2996a0ca. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217355.
@@ -164,7 +164,7 @@ function displayChannelCommands() { row += ‘<td class="js-commands-editcolumn"><span class="table-edit-btn" data-toggle="modal" data-target="#commandAddModal" data-command="’ + cmd.key + ‘" data-accesslevel="’ + cmd.restriction + ‘" data-response="’ + cleanHtmlAttr(cmd.value) + '" data-modaltitle="Edit command"><i class="icon-pencil"></i><span class="sr-only">Edit</span></span></td>’; row += ‘<td><kbd class="command">’ + cmd.key + '</kbd></td>’; row += ‘<td class="row-command-col-access" data-order="’ + cmd.restriction + ‘">’ + prettifyAccessLevel(cmd.restriction) + '</td>’; row += ‘<td class="should-be-linkified should-be-emotified">’ + prettifyStringVariables(cmd.value) + '</td>’; row += ‘<td class="should-be-linkified should-be-emotified">’ + prettifyStringVariables(cleanHtmlText(cmd.value)) + '</td>’; row += ‘<td>’ + Humanize.intComma(cmd.count) + '</td>’; row += '</tr>’; rows += row; @@ -261,7 +261,7 @@ function displayChannelQuotes() { row += ‘<td class="js-quotes-editcolumn"><span class="table-edit-btn" data-toggle="modal" data-target="#quoteAddModal" data-quote="’ + cleanHtmlAttr(quote.quote) + ‘" data-quoteid="’ + (i+1) + '" data-modaltitle="Edit quote"><i class="icon-pencil"></i></span></td>’;
row += ‘<td>’ + (i+1) + '</td>’; row += ‘<td>’ + quote.quote + '</td>’; row += ‘<td>’ + cleanHtmlText(quote.quote) + ‘</td>’;
var tsMoment = (quote.timestamp !== null) ? moment(quote.timestamp) : null; var tsStr = (quote.timestamp !== null) ? tsMoment.calendar() : “Unknown"; @@ -320,7 +320,7 @@ function displayChannelAutoreplies() { row += '<td class="js-autoreplies-editcolumn"><span class="table-edit-btn” data-toggle="modal" data-target="#autoreplyAddModal" data-trigger="’ + cleanHtmlAttr(reply.trigger) + ‘" data-response="’ + cleanHtmlAttr(reply.response) + ‘" data-arid="’ + (i+1) + '" data-modaltitle="Edit auto-reply"><i class="icon-pencil"></i></span></td>’; row += ‘<td>’ + (i+1) + '</td>’; row += '<td title="RegEx: ' + cleanHtmlAttr(reply.trigger) + ‘">’ + prettifyRegex(reply.trigger) + '</td>’; row += ‘<td>’ + prettifyStringVariables(reply.response) + '</td>’; row += ‘<td>’ + prettifyStringVariables(cleanHtmlText(reply.response)) + '</td>’; row += '</tr>’; rows += row; } @@ -549,7 +549,7 @@ function showChannelHighlights() { var strm = highlightsStats.streams[i]; var row = '<tr>’;
row += ‘<td><span class="fake-link js-highlight-btn" data-hlid="’ + strm.id + ‘">’ + strm.title + '</span></td>’; row += ‘<td><span class="fake-link js-highlight-btn" data-hlid="’ + strm.id + ‘">’ + cleanHtmlText(strm.title) + ‘</span></td>’;
var startMoment = moment.unix(strm.start); var cleanStart = cleanHtmlAttr(startMoment.format(‘LLLL’)); @@ -734,9 +734,9 @@ function showChannelBoir() { var boirContainer = $(‘.js-boir-container’); var html = “";
html += ‘<div class="boir-character"><strong>Character:</strong> ' + channelBoirData.character + “</div>"; html += '<div class="boir-floor"><strong>Floor:</strong> ' + channelBoirData.floor + “</div>"; html += ‘<div class="boir-seed"><strong>Seed:</strong> ' + channelBoirData.seed + “</div>"; html += '<div class="boir-character"><strong>Character:</strong> ' + cleanHtmlText(channelBoirData.character) + “</div>"; html += ‘<div class="boir-floor"><strong>Floor:</strong> ' + cleanHtmlText(channelBoirData.floor) + “</div>"; html += '<div class="boir-seed"><strong>Seed:</strong> ' + cleanHtmlText(channelBoirData.seed) + “</div>"; html += '<h3>Items</h3>’;
html += '<div class="well boir-items items-container">’;//<div class="row">’; @@ -754,13 +754,13 @@ function showChannelBoir() { if (typeof channelBoirData.flyItems !== ‘undefined’ && typeof channelBoirData.flyProgress !== ‘undefined’) { html += '<div class="col-md-6 text-center">’; html += '<h3>Lord of the Flies</h3>’; html += '<input type="text” class="dial js-boir-dial js-boir-dial-fly” value="’ + channelBoirData.flyProgress + '">’; html += '<input type="text” class="dial js-boir-dial js-boir-dial-fly” value="’ + cleanHtmlAttr(channelBoirData.flyProgress) + '">’;
// html += '<h4>Items</h4>’; html += ‘<div class="row"><div class="col-sm-8 col-sm-offset-2"><ul class="list-group">’ for (var i = 0; i < channelBoirData.flyItems.length; i++) { var item = channelBoirData.flyItems[i]; html += ‘<li class="list-group-item">’ + item + '</li>’; html += ‘<li class="list-group-item">’ + cleanHtmlText(item) + '</li>’; } html += '</ul></div></div>’; html += '</div>’; @@ -769,13 +769,13 @@ function showChannelBoir() { if (typeof channelBoirData.guppyItems !== ‘undefined’ && typeof channelBoirData.guppyProgress !== ‘undefined’) { html += '<div class="col-md-6 text-center">’; html += '<h3>Guppy</h3>’; html += '<input type="text” class="dial js-boir-dial js-boir-dial-guppy” value="’ + channelBoirData.guppyProgress + '">’; html += '<input type="text” class="dial js-boir-dial js-boir-dial-guppy" value="’ + cleanHtmlAttr(channelBoirData.guppyProgress) + '">’;
// html += '<h4>Items</h4>’; html += ‘<div class="row"><div class="col-sm-8 col-sm-offset-2"><ul class="list-group">’ for (var i = 0; i < channelBoirData.guppyItems.length; i++) { var item = channelBoirData.guppyItems[i]; html += ‘<li class="list-group-item">’ + item + '</li>’; html += ‘<li class="list-group-item">’ + cleanHtmlText(item) + '</li>’; } html += '</ul></div></div>’; } @@ -965,6 +965,7 @@ function displayChannelReqsongs() { }
function updateReqsongs() { return true; //temporary disable $.ajax({ data: { a: "listReqsong", @@ -1213,7 +1214,7 @@ $(document).ready(function() { checkIfLiveChannel(); setInterval(checkIfLiveChannel, 30000);
$(“.command”).prepend(‘<span class="command-prefix">’ + channelData.commandPrefix + ‘</span>’); $(“.command”).prepend(‘<span class="command-prefix">’ + cleanHtmlText(channelData.commandPrefix) + ‘</span>’);
var commandPrefixForUrl = channelData.commandPrefix;