From 2e1726cb5fbac831dd031e2f35f13e9bb6ae9c90 Mon Sep 17 00:00:00 2001
From: bfederle <bfederle@gmail.com>
Date: Wed, 14 Mar 2012 10:53:44 -0700
Subject: [PATCH] Add helper function to sanitize user input strings

For any strings that require sanitization (i.e., strip
HTML/JavaScript), wrap the string around cloudStack.sanitize, or _s
for short. This currently will remove embedded HTML tags, which are
the main security issues present.

Example:

var str = '<script>Hello</script>My String';

_s(str) = '&lt;script&gt;Hello&lt;/script&gt;My String'
---
 ui/scripts/ui/utils.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ui/scripts/ui/utils.js b/ui/scripts/ui/utils.js
index 79a39e1d491..cda98a0c4f3 100644
--- a/ui/scripts/ui/utils.js
+++ b/ui/scripts/ui/utils.js
@@ -54,4 +54,18 @@
 
     return localized ? localized : str;
   };
+
+  /**
+   * Sanitize user input -- shortcut _s
+   * 
+   * Strip unwanted characters from user-based input
+   */
+  cloudStack.sanitize = window._s = function(str) {
+    var sanitized = str
+          .replace(/&/g, "&amp;")
+          .replace(/</g, "&lt;")
+          .replace(/>/g, "&gt;");
+
+    return sanitized;
+  };
 })(jQuery, cloudStack);