Sanitize clarification bodies.

DOMjudge · Dec 14, 2023 · 2cd74e9 · 2cd74e9
1 parent 305a88b
commit 2cd74e9
Show file tree

Hide file tree

Showing 6 changed files with 254 additions and 6 deletions.
diff --git a/composer.json b/composer.json
@@ -84,6 +84,7 @@
 		"symfony/flex": "^2",
 		"symfony/form": "6.3.*",
 		"symfony/framework-bundle": "6.3.*",
+		"symfony/html-sanitizer": "6.3.*",
 		"symfony/http-client": "6.3.*",
 		"symfony/intl": "6.3.*",
 		"symfony/mime": "6.3.*",

diff --git a/composer.lock b/composer.lock
diff --git a/webapp/src/Controller/Jury/ClarificationController.php b/webapp/src/Controller/Jury/ClarificationController.php
@@ -14,6 +14,7 @@
 use App\Utils\Utils;
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\ORM\Query\Expr\Join;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
 use Symfony\Component\HttpKernel\Attribute\MapQueryParameter;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -384,7 +385,7 @@ public function changeQueueAction(Request $request, int $clarId): Response
     }
 
     #[Route(path: '/send', methods: ['POST'], name: 'jury_clarification_send')]
-    public function sendAction(Request $request): Response
+    public function sendAction(Request $request, HtmlSanitizerInterface $htmlSanitizer): Response
     {
         $clarification = new Clarification();
 
@@ -436,7 +437,7 @@ public function sendAction(Request $request): Response
 
         $clarification->setJuryMember($this->getUser()->getUserIdentifier());
         $clarification->setAnswered(true);
-        $clarification->setBody($request->request->get('bodytext'));
+        $clarification->setBody($htmlSanitizer->sanitize($request->request->get('bodytext')));
         $clarification->setSubmittime(Utils::now());
 
         $this->em->persist($clarification);

diff --git a/webapp/src/Controller/RootController.php b/webapp/src/Controller/RootController.php
@@ -4,6 +4,7 @@
 
 use App\Service\DOMJudgeService;
 use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -43,12 +44,13 @@ public function redirectAction(AuthorizationCheckerInterface $authorizationCheck
     public function markdownPreview(
         Request $request,
         #[Autowire(service: 'twig.runtime.markdown')]
-        MarkdownRuntime $markdownRuntime
+        MarkdownRuntime $markdownRuntime,
+        HtmlSanitizerInterface $htmlSanitizer
     ): JsonResponse {
         $message = $request->request->get('message');
         if ($message === null) {
             throw new BadRequestHttpException('A message is required');
         }
-        return new JsonResponse(['html' => $markdownRuntime->convert($message)]);
+        return new JsonResponse(['html' => $markdownRuntime->convert($htmlSanitizer->sanitize($message))]);
     }
 }
diff --git a/webapp/src/Entity/Clarification.php b/webapp/src/Entity/Clarification.php
@@ -356,6 +356,6 @@ public function getSummary(): string
                 $newBody .= $line . ' ';
             }
         }
-        return Utils::cutString((empty($newBody) ? $this->getBody() : $newBody), 80);
+        return Utils::cutString(html_entity_decode((empty($newBody) ? $this->getBody() : $newBody)), 80);
     }
 }
diff --git a/webapp/src/Form/Type/TeamClarificationType.php b/webapp/src/Form/Type/TeamClarificationType.php
@@ -50,6 +50,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
         ]);
         $builder->add('message', TextareaType::class, [
             'label' => false,
+            'sanitize_html' => true,
             'attr' => [
                 'rows' => 5,
                 'cols' => 85,