Fix self-XSS issues in the review request editor.

Review Request #1012 - Created Dec. 19, 2017 and updated

guest6999
Review Board
7156cfa...
user9928
The review request editor had a self-XSS issue, which could cause a user
to accidentally run JavaScript code they've typed in a text field. To
trigger this, they'd have to enable Markdown and write some self-XSS
text (such as `"><script>alert('XSS')<script>`), save that field, and
then modify another field in the review request. That would trigger this
script to be executed.

To fix this, we're no longer listening to per-field change events.
Instead, ReviewRequestEditor has a new fieldChanged event, which is
triggered whenever a field has been successfully saved. The view listens
to this instead, ensuring it's only setting the field content after it
has saved and loaded the new normalized fields.

There's a side-effect of this change. Since the view is no longer
listening to the raw change events, any custom code that changes the
review request or draft will not trigger any changes in the UI, unless
they're using setDraftField or manually emitting the new fieldChanged
event. This probably won't come up much in practice, but is worth
noting.

A positive side-effect is that this also fixes the annoying glitch where
publishing or discarding a draft could appear to empty out or revert
fields, since the view is no longer seeing the fields on the draft being
emptied out and copying the empty/default values over.

Reviewed at https://reviews.reviewboard.org/r/8117/


Loading...