Skip to content

Commit

Permalink
Escape intercom settings (XSS).
Browse files Browse the repository at this point in the history
  • Loading branch information
marshall-lee committed Apr 5, 2017
1 parent 1a07747 commit 6f4a884
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 6 deletions.
2 changes: 1 addition & 1 deletion lib/intercom-rails/script_tag.rb
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ def find_lead_attributes
def intercom_javascript
intercom_settings_json = ActiveSupport::JSON.encode(intercom_settings).gsub('<', '\u003C')

str = "window.intercomSettings = #{intercom_settings_json};(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()"
str = "window.intercomSettings = JSON.parse('#{escape_javascript(intercom_settings_json)}');(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()"

str
end
Expand Down
6 changes: 3 additions & 3 deletions spec/auto_include_filter_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -162,13 +162,13 @@ def current_user
it 'to_s non numeric user_id to avoid nested structure for bson ids' do
get :with_mongo_like_user
expect(response.body).not_to include("oid")
expect(response.body).to include('"user_id":"deadbeaf1234mongo"')
expect(response.body).to include('\\"user_id\\":\\"deadbeaf1234mongo\\"')
end

it 'leaves numeric user_id alone to avoid unintended consequences' do
get :with_numeric_user_id
expect(response.body).not_to include("oid")
expect(response.body).to include('"user_id":123')
expect(response.body).to include('\\"user_id\\":123')
end

it 'defaults to have no user_hash' do
Expand Down Expand Up @@ -226,7 +226,7 @@ def current_user

it 'escapes strings with \\s' do
get :with_some_tricky_string
expect(response.body).to include("\"email\":\"\\\\\\\"foo\\\"\"")
expect(response.body).to include('\\"email\\":\"\\\\\\\\\\\\\\"foo\\\\\\"\\"')
end

it 'can be disabled in non whitelisted environments' do
Expand Down
2 changes: 1 addition & 1 deletion spec/script_tag_helper_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
:email => '[email protected]',
:user_id => 'marco',
})
expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='")
expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='")
end

it 'inserts a valid nonce if present' do
Expand Down
2 changes: 1 addition & 1 deletion spec/script_tag_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ def sha256_hmac(secret, input)
:email => '[email protected]',
:user_id => 'marco',
})
expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='")
expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='")
end

it 'inserts a valid nonce if present' do
Expand Down

0 comments on commit 6f4a884

Please sign in to comment.