fixed critical XSS bug that can deanonymize user

onionshare_gui/static/helpers.js

@@ -9,3 +9,52 @@ function human_readable_filesize(bytes, si) {
   } while(bytes >= thresh);
   return bytes.toFixed(1)+' '+units[u];
 };
+
+function htmlspecialchars(string, quote_style, charset, double_encode) {
+  var optTemp = 0,
+    i = 0,
+    noquotes = false;
+  if (typeof quote_style === 'undefined' || quote_style === null) {
+    quote_style = 2;
+  }
+  string = string.toString();
+  if (double_encode !== false) {
+    // Put this first to avoid double-encoding
+    string = string.replace(/&/g, '&');
+  }
+  string = string.replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+
+  var OPTS = {
+    'ENT_NOQUOTES': 0,
+    'ENT_HTML_QUOTE_SINGLE': 1,
+    'ENT_HTML_QUOTE_DOUBLE': 2,
+    'ENT_COMPAT': 2,
+    'ENT_QUOTES': 3,
+    'ENT_IGNORE': 4
+  };
+  if (quote_style === 0) {
+    noquotes = true;
+  }
+  if (typeof quote_style !== 'number') {
+    // Allow for a single string or an array of string flags
+    quote_style = [].concat(quote_style);
+    for (i = 0; i < quote_style.length; i++) {
+      // Resolve string input to bitwise e.g. 'ENT_IGNORE' becomes 4
+      if (OPTS[quote_style[i]] === 0) {
+        noquotes = true;
+      } else if (OPTS[quote_style[i]]) {
+        optTemp = optTemp | OPTS[quote_style[i]];
+      }
+    }
+    quote_style = optTemp;
+  }
+  if (quote_style & OPTS.ENT_HTML_QUOTE_SINGLE) {
+    string = string.replace(/'/g, '&#039;');
+  }
+  if (!noquotes) {
+    string = string.replace(/"/g, '&quot;');
+  }
+
+  return string;
+}

onionshare_gui/static/onionshare.js

@@ -65,7 +65,7 @@ $(function(){
               }
             } else {
               if(r.path != '/favicon.ico')
-                update($('<span>').addClass('weblog-error').html(onionshare.strings['other_page_loaded']+': '+r.path));
+                update($('<span>').addClass('weblog-error').html(onionshare.strings['other_page_loaded']+': '+htmlspecialchars(r.path)));
             }
           }
         }