From e5ef5bf6bb4f060178017b2a8e8e29f2c4d43dd8 Mon Sep 17 00:00:00 2001 From: Marios Kranitsas Date: Thu, 20 Oct 2022 12:25:55 +0300 Subject: [PATCH 1/3] Fix Reflected XSS --- web-assets/js/setupAuth0WithRedirect.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/web-assets/js/setupAuth0WithRedirect.js b/web-assets/js/setupAuth0WithRedirect.js index d2ef011..fc96093 100644 --- a/web-assets/js/setupAuth0WithRedirect.js +++ b/web-assets/js/setupAuth0WithRedirect.js @@ -639,11 +639,17 @@ const authSetup = function () { return hostname; } + function htmlEncode(str){ + return String(str).replace(/[^\w. ]/gi, function(c){ + return '&#'+c.charCodeAt(0)+';'; + }); + } + function showLoginError(message, linkUrl) { try { document.getElementById("page-title-heading").innerText = "Alert"; var messageElement = document.createElement("textarea"); - messageElement.innerHTML = message; + messageElement.innerHTML = htmlEncode(message); document.getElementById("loading_message_p").innerHTML = messageElement.value + " click here"; } catch (err) { logger("Error in changing loading message: ", err.message) From a0cf3fa5bc35c52ef121accfb8b4076fa407d167 Mon Sep 17 00:00:00 2001 From: Marios Kranitsas Date: Thu, 20 Oct 2022 15:17:18 +0300 Subject: [PATCH 2/3] Fixes --- web-assets/js/setupAuth0WithRedirect.js | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/web-assets/js/setupAuth0WithRedirect.js b/web-assets/js/setupAuth0WithRedirect.js index fc96093..c1971be 100644 --- a/web-assets/js/setupAuth0WithRedirect.js +++ b/web-assets/js/setupAuth0WithRedirect.js @@ -422,7 +422,10 @@ const authSetup = function () { // XSS rules const encode = function(str) { - return str.replace(/[\x26\x0A\<>'"]/g,function(str){return"&#"+str.charCodeAt(0)+";"}) + str = str.replace(/[\x26\x0A\<>'"]/g,function(str){return"&#"+str.charCodeAt(0)+";"}) + return String(str).replace(/[^\w. ]/gi, function(c){ + return '&#'+c.charCodeAt(0)+';'; + }); } // end XSS rules @@ -639,17 +642,11 @@ const authSetup = function () { return hostname; } - function htmlEncode(str){ - return String(str).replace(/[^\w. ]/gi, function(c){ - return '&#'+c.charCodeAt(0)+';'; - }); - } - function showLoginError(message, linkUrl) { try { document.getElementById("page-title-heading").innerText = "Alert"; var messageElement = document.createElement("textarea"); - messageElement.innerHTML = htmlEncode(message); + messageElement.innerHTML = message; document.getElementById("loading_message_p").innerHTML = messageElement.value + " click here"; } catch (err) { logger("Error in changing loading message: ", err.message) From c9b39e800402ad5effadeca69dddcd587fab521a Mon Sep 17 00:00:00 2001 From: eisbilir Date: Fri, 21 Oct 2022 21:42:26 +0300 Subject: [PATCH 3/3] mobile view for otp, xss check --- web-assets/css/otp.css | 62 ++++++++++++++++++++++++++++---- web-assets/js/check_email.js | 8 ++--- web-assets/js/otp.js | 17 ++++++--- web-assets/static-pages/otp.html | 6 ++-- 4 files changed, 74 insertions(+), 19 deletions(-) diff --git a/web-assets/css/otp.css b/web-assets/css/otp.css index 7ac69a7..78ebfd5 100644 --- a/web-assets/css/otp.css +++ b/web-assets/css/otp.css @@ -48,10 +48,13 @@ body { flex-direction: column; align-items: center; padding: 0; - gap: 8px; margin-bottom: 51px; } +.topcoder-logo { + margin-bottom: 8px; +} + .header-text { font-family: 'Barlow Condensed'; font-weight: 500; @@ -78,7 +81,6 @@ body { width: 100%; display: flex; flex-direction: column; - gap: 12px; } .message-wrapper { @@ -126,20 +128,23 @@ body { .digit-group { display: flex; flex-direction: row; - gap: 12px; margin-bottom: 51px; } +.digit-group :not(:last-child) { + margin-right: 12px; +} + .digit-group input { - width: 44px; - height: 40px; + width: 38px; + height: 36px; background-color: #FFFFFF; border: 1px solid #AAAAAA; line-height: 22px; text-align: center; font-size: 14px; font-weight: 400; - color: #767676; + color: #2A2A2A; border-radius: 4px; } @@ -184,14 +189,57 @@ body { background-clip: text; } +@media (min-width: 1157px) { + .info-mobile { + display: none; + } +} + @media (max-width: 1156px) { + body { + background-color: #ffffff; + } + + .page-wrapper { + margin-top: 0; + } + .row { background: white; - width: 500px; + width: 375px; min-height: auto; } + .left-column { + width: 375px; + } + .logo-column { display: none; } + + .signin-column { + padding: 0px 32px 48px 32px; + } + + .signin-header { + padding-top: 110px; + margin-bottom: 88px; + } + + .info { + padding: 112px 0 0 0; + margin-bottom: 34px; + font-size: 14px; + line-height: 20px; + } + + .digit-group { + margin-bottom: 34px; + } + + .digit-group input { + width: 35px; + height: 36px; + } } \ No newline at end of file diff --git a/web-assets/js/check_email.js b/web-assets/js/check_email.js index fe4b29a..1f37d46 100644 --- a/web-assets/js/check_email.js +++ b/web-assets/js/check_email.js @@ -1,8 +1,8 @@ -var qs = (function (a) { +const qs = (function (a) { if (a == "") return {}; - var b = {}; - for (var i = 0; i < a.length; ++i) { - var p = a[i].split("=", 2); + let b = {}; + for (let i = 0; i < a.length; ++i) { + let p = a[i].split("=", 2); if (p.length == 1) b[p[0]] = ""; else b[p[0]] = decodeURIComponent(p[1].replace(/\+/g, " ")); } diff --git a/web-assets/js/otp.js b/web-assets/js/otp.js index 2bbf3d8..c1edeec 100644 --- a/web-assets/js/otp.js +++ b/web-assets/js/otp.js @@ -1,14 +1,21 @@ -var qs = (function (a) { +const qs = (function (a) { if (a == "") return {}; - var b = {}; - for (var i = 0; i < a.length; ++i) { - var p = a[i].split("=", 2); + let b = {}; + for (let i = 0; i < a.length; ++i) { + let p = a[i].split("=", 2); if (p.length == 1) b[p[0]] = ""; else b[p[0]] = decodeURIComponent(p[1].replace(/\+/g, " ")); } return b; })(window.location.search.substr(1).split("&")); +const encode = function (str) { + str = str.replace(/[\x26\x0A\<>'"]/g, function (str) { return "&#" + str.charCodeAt(0) + ";" }) + return String(str).replace(/[^\w. ]/gi, function (c) { + return '&#' + c.charCodeAt(0) + ';'; + }); +} + $(document).ready(function () { window.history.forward(); let formAction = qs["formAction"] || "#"; @@ -57,7 +64,7 @@ $(document).ready(function () { } const errorMessage = qs["message"]; if (errorMessage) { - $("#error").html(errorMessage); + $("#error").html(encode(errorMessage)); $("#error").closest(".message-wrapper").fadeIn(); } diff --git a/web-assets/static-pages/otp.html b/web-assets/static-pages/otp.html index eba71e0..6e0df99 100644 --- a/web-assets/static-pages/otp.html +++ b/web-assets/static-pages/otp.html @@ -36,9 +36,9 @@
Topcoder login
-
Please check the email you used to register your - Topcoder account for an email with a 6 digit code. - Enter the code below to login
+
Please check the email you used to register your
+ Topcoder account for an email
with a 6 digit code.
+
Enter the code below to login