- Updates import to santize user input

2016-03-15 13:06:21 -04:00
parent a1441dfde6
commit 74254d7e2a
3 changed files with 8 additions and 5 deletions
--- a/assets/js/src/subscribers/importExport/import.js
+++ b/assets/js/src/subscribers/importExport/import.js
@@ -7,7 +7,8 @@ define(
      'handlebars',
      'papaparse',
      'select2',
-      'asyncqueue'
+      'asyncqueue',
+      'xss'
    ],
    function (
      Backbone,
@@ -16,7 +17,8 @@ define(
      MailPoet,
      Handlebars,
      Papa,
-      AsyncQueue
+      AsyncQueue,
+      xss
    ) {
      if (!jQuery('#mailpoet_subscribers_import').length) {
        return;
@@ -355,7 +357,7 @@ define(
              complete: function (CSV) {
                for (var rowCount in CSV.data) {
                  var rowData = CSV.data[rowCount].map(function (el) {
-                        return el.trim();
+                        return filterXSS(el.trim());
                      }),
                      rowColumnCount = rowData.length;
                  // set the number of row elements based on the first non-empty row
--- a/package.json
+++ b/package.json
@@ -34,7 +34,8 @@
    "spectrum-colorpicker": "^1.6.2",
    "tinymce": "4.1.10",
    "underscore": "1.8.3",
-    "velocity-animate": "1.2.3"
+    "velocity-animate": "1.2.3",
+    "xss": "^0.2.10"
  },
  "devDependencies": {
    "expose-loader": "latest",
--- a/views/subscribers/importExport/import/step2.html
+++ b/views/subscribers/importExport/import/step2.html
@@ -126,7 +126,7 @@
        </td>
        {{#.}}
        <td>
-          {{{this}}}
+          {{this}}
        </td>
        {{/.}}
      </tr>