From ec132ae1510ef2d33f6b9f1ce5fcb3f175c81fe8 Mon Sep 17 00:00:00 2001
From: Jared Tabor <jtabor@ansible.com>
Date: Wed, 10 Dec 2014 14:04:34 -0500
Subject: [PATCH] Survey maker/taker html tag injection

Fixed a defect in which the user could inject html tags into the survey maker, which could in turn show up in survey taker.
---
 awx/ui/static/js/helpers/JobSubmission.js | 10 ++++++++++
 awx/ui/static/js/helpers/Survey.js        | 11 +++++++++++
 2 files changed, 21 insertions(+)

diff --git a/awx/ui/static/js/helpers/JobSubmission.js b/awx/ui/static/js/helpers/JobSubmission.js
index fdb9d8e5c2..65bee2a226 100644
--- a/awx/ui/static/js/helpers/JobSubmission.js
+++ b/awx/ui/static/js/helpers/JobSubmission.js
@@ -446,6 +446,11 @@ function($location, Wait, GetBasePath, LookUpInit, JobTemplateForm, CredentialLi
 
             function buildHtml(question, index){
                 question.index = index;
+                question.question_name = question.question_name.replace(/</g, "&lt;");
+                question.question_name = question.question_name.replace(/>/g, "&gt;");
+                question.question_description = (question.question_description) ? question.question_description.replace(/</g, "&lt;") : undefined;
+                question.question_description = (question.question_description) ? question.question_description.replace(/>/g, "&gt;") : undefined;
+
 
                 requiredAsterisk = (question.required===true) ? "prepend-asterisk" : "";
                 requiredClasses = (question.required===true) ? "ng-pristine ng-invalid-required ng-invalid" : "";
@@ -456,6 +461,9 @@ function($location, Wait, GetBasePath, LookUpInit, JobTemplateForm, CredentialLi
                 if(!Empty(question.question_description)){
                     html += '<div class="survey_taker_description"><i>'+question.question_description+'</i></div>\n';
                 }
+
+                question.default = (question.default) ? question.default.replace(/</g, "&lt;") : undefined;
+                question.default = (question.default) ? question.default.replace(/>/g, "&gt;") : undefined;
                 scope[question.variable] = question.default;
 
                 if(question.type === 'text' ){
@@ -493,6 +501,8 @@ function($location, Wait, GetBasePath, LookUpInit, JobTemplateForm, CredentialLi
                     html+='<div class="survey_taker_input" > ';
                     for( j = 0; j<choices.length; j++){
                         checked = (!Empty(question.default) && question.default.indexOf(choices[j])!==-1) ? "checked" : "";
+                        choices[j]  = choices[j].replace(/</g, "&lt;");
+                        choices[j]  = choices[j].replace(/>/g, "&gt;");
                         html+= '<input  type="'+element+'" class="mc" ng-model="'+question.variable+'" ng-required="'+question.required+'" name="'+question.variable+ ' " id="'+question.variable+'" value=" '+choices[j]+' " '+checked+' >' +
                         '<span>'+choices[j] +'</span><br>' ;
                     }
diff --git a/awx/ui/static/js/helpers/Survey.js b/awx/ui/static/js/helpers/Survey.js
index 71c8cf5554..ec16839efd 100644
--- a/awx/ui/static/js/helpers/Survey.js
+++ b/awx/ui/static/js/helpers/Survey.js
@@ -266,6 +266,11 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
             // }
 
             question.index = index;
+            question.question_name = question.question_name.replace(/</g, "&lt;");
+            question.question_name = question.question_name.replace(/>/g, "&gt;");
+            question.question_description = (question.question_description) ? question.question_description.replace(/</g, "&lt;") : undefined;
+            question.question_description = (question.question_description) ? question.question_description.replace(/>/g, "&gt;") : undefined;
+
 
             if(!$('#question_'+question.index+':eq(0)').is('div')){
                 html+='<div id="question_'+question.index+'" class="question_final row"></div>';
@@ -281,6 +286,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
 
             if(question.type === 'text' ){
                 defaultValue = (question.default) ? question.default : "";
+                defaultValue = defaultValue.replace(/</g, "&lt;");
+                defaultValue = defaultValue.replace(/>/g, "&gt;");
                 html+='<div class="row">'+
                     '<div class="col-xs-8">'+
                     '<input type="text" placeholder="'+defaultValue+'"  class="form-control ng-pristine ng-invalid-required ng-invalid final" required="" readonly>'+
@@ -288,6 +295,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
             }
             if(question.type === "textarea"){
                 defaultValue = (question.default) ? question.default : (question.default_textarea) ? question.default_textarea:  "" ;
+                defaultValue = defaultValue.replace(/</g, "&lt;");
+                defaultValue = defaultValue.replace(/>/g, "&gt;");
                 html+='<div class="row">'+
                     '<div class="col-xs-8">'+
                     '<textarea class="form-control ng-pristine ng-invalid-required ng-invalid final" required="" rows="3" readonly>'+defaultValue+'</textarea>'+
@@ -300,6 +309,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
 
                 for( i = 0; i<choices.length; i++){
                     checked = (!Empty(question.default) && question.default.indexOf(choices[i])!==-1) ? "checked" : "";
+                    choices[i] = choices[i] .replace(/</g, "&lt;");
+                    choices[i]  = choices[i] .replace(/>/g, "&gt;");
                     html+= '<input  type="'+element+'"  class="mc" ng-required="!'+question.variable+'" name="'+question.variable+ ' " id="'+question.variable+'" value=" '+choices[i]+' " '+checked+' >' +
                         '<span>'+choices[i] +'</span><br>' ;
                 }