From 0b9b3446da234044684997c8fdf0a7ab60933bf3 Mon Sep 17 00:00:00 2001
From: Dennis Griffin <dgdev1024@gmail.com>
Date: Thu, 26 May 2022 11:36:55 -0400
Subject: [PATCH 1/3] Fixed XSS vulnerability in the click event of
 'button.addComment'. See lines 74 and 75.

---
 public/client.js | 148 ++++++++++++++++++++++++++++-------------------
 1 file changed, 87 insertions(+), 61 deletions(-)

diff --git a/public/client.js b/public/client.js
index 2cda6a53..79024de5 100644
--- a/public/client.js
+++ b/public/client.js
@@ -1,85 +1,111 @@
-$( document ).ready(function() {
-  let  items = [];
-  let  itemsRaw = [];
-  
-  $.getJSON('/api/books', function(data) {
+$(document).ready(function () {
+  let items = [];
+  let itemsRaw = [];
+
+  $.getJSON("/api/books", function (data) {
     //let  items = [];
     itemsRaw = data;
-    $.each(data, function(i, val) {
-      items.push('<li class="bookItem" id="' + i + '">' + val.title + ' - ' + val.commentcount + ' comments</li>');
-      return ( i !== 14 );
+    $.each(data, function (i, val) {
+      items.push(
+        '<li class="bookItem" id="' +
+          i +
+          '">' +
+          val.title +
+          " - " +
+          val.commentcount +
+          " comments</li>"
+      );
+      return i !== 14;
     });
     if (items.length >= 15) {
-      items.push('<p>...and '+ (data.length - 15)+' more!</p>');
+      items.push("<p>...and " + (data.length - 15) + " more!</p>");
     }
-    $('<ul/>', {
-      'class': 'listWrapper',
-      html: items.join('')
-      }).appendTo('#display');
+    $("<ul/>", {
+      class: "listWrapper",
+      html: items.join(""),
+    }).appendTo("#display");
   });
-  
-  let  comments = [];
-  $('#display').on('click','li.bookItem',function() {
-    $("#detailTitle").html('<b>'+itemsRaw[this.id].title+'</b> (id: '+itemsRaw[this.id]._id+')');
-    $.getJSON('/api/books/'+itemsRaw[this.id]._id, function(data) {
+
+  let comments = [];
+  $("#display").on("click", "li.bookItem", function () {
+    $("#detailTitle").html(
+      "<b>" +
+        itemsRaw[this.id].title +
+        "</b> (id: " +
+        itemsRaw[this.id]._id +
+        ")"
+    );
+    $.getJSON("/api/books/" + itemsRaw[this.id]._id, function (data) {
       comments = [];
-      $.each(data.comments, function(i, val) {
-        comments.push('<li>' +val+ '</li>');
+      $.each(data.comments, function (i, val) {
+        comments.push("<li>" + val + "</li>");
       });
-      comments.push('<br><form id="newCommentForm"><input style="width:300px" type="text" class="form-control" id="commentToAdd" name="comment" placeholder="New Comment"></form>');
-      comments.push('<br><button class="btn btn-info addComment" id="'+ data._id+'">Add Comment</button>');
-      comments.push('<button class="btn btn-danger deleteBook" id="'+ data._id+'">Delete Book</button>');
-      $('#detailComments').html(comments.join(''));
+      comments.push(
+        '<br><form id="newCommentForm"><input style="width:300px" type="text" class="form-control" id="commentToAdd" name="comment" placeholder="New Comment"></form>'
+      );
+      comments.push(
+        '<br><button class="btn btn-info addComment" id="' +
+          data._id +
+          '">Add Comment</button>'
+      );
+      comments.push(
+        '<button class="btn btn-danger deleteBook" id="' +
+          data._id +
+          '">Delete Book</button>'
+      );
+      $("#detailComments").html(comments.join(""));
     });
   });
-  
-  $('#bookDetail').on('click','button.deleteBook',function() {
+
+  $("#bookDetail").on("click", "button.deleteBook", function () {
     $.ajax({
-      url: '/api/books/'+this.id,
-      type: 'delete',
-      success: function(data) {
+      url: "/api/books/" + this.id,
+      type: "delete",
+      success: function (data) {
         //update list
-        $('#detailComments').html('<p style="color: red;">'+data+'<p><p>Refresh the page</p>');
-      }
+        $("#detailComments").html(
+          '<p style="color: red;">' + data + "<p><p>Refresh the page</p>"
+        );
+      },
     });
-  });  
-  
-  $('#bookDetail').on('click','button.addComment',function() {
-    let  newComment = $('#commentToAdd').val();
+  });
+
+  $("#bookDetail").on("click", "button.addComment", function () {
+    let newComment = $("#commentToAdd").val();
+    newComment = newComment.replace(/(?\<\/?.+\>)/gi, "");
     $.ajax({
-      url: '/api/books/'+this.id,
-      type: 'post',
-      dataType: 'json',
-      data: $('#newCommentForm').serialize(),
-      success: function(data) {
+      url: "/api/books/" + this.id,
+      type: "post",
+      dataType: "json",
+      data: $("#newCommentForm").serialize(),
+      success: function (data) {
         comments.unshift(newComment); //adds new comment to top of list
-        $('#detailComments').html(comments.join(''));
-      }
+        $("#detailComments").html(comments.join(""));
+      },
     });
   });
-  
-  $('#newBook').click(function() {
+
+  $("#newBook").click(function () {
     $.ajax({
-      url: '/api/books',
-      type: 'post',
-      dataType: 'json',
-      data: $('#newBookForm').serialize(),
-      success: function(data) {
+      url: "/api/books",
+      type: "post",
+      dataType: "json",
+      data: $("#newBookForm").serialize(),
+      success: function (data) {
         //update list
-      }
+      },
     });
   });
-  
-  $('#deleteAllBooks').click(function() {
+
+  $("#deleteAllBooks").click(function () {
     $.ajax({
-      url: '/api/books',
-      type: 'delete',
-      dataType: 'json',
-      data: $('#newBookForm').serialize(),
-      success: function(data) {
+      url: "/api/books",
+      type: "delete",
+      dataType: "json",
+      data: $("#newBookForm").serialize(),
+      success: function (data) {
         //update list
-      }
+      },
     });
-  }); 
-  
-});
\ No newline at end of file
+  });
+});

From c465f8b7ba09c1e1e95ae4b5fe8dd2b3ec32a6fb Mon Sep 17 00:00:00 2001
From: Dennis Griffin <dgdev1024@gmail.com>
Date: Thu, 26 May 2022 12:41:26 -0400
Subject: [PATCH 2/3] Fixed an additional XSS vulnerability in fetching book
 titles..

---
 public/client.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/client.js b/public/client.js
index 79024de5..75eeeaed 100644
--- a/public/client.js
+++ b/public/client.js
@@ -10,7 +10,7 @@ $(document).ready(function () {
         '<li class="bookItem" id="' +
           i +
           '">' +
-          val.title +
+          val.title.replace(/(?\<\/?.+\>)/gi, "") +
           " - " +
           val.commentcount +
           " comments</li>"

From bd19b7e0d53e472dc000299bb068ed69814477cc Mon Sep 17 00:00:00 2001
From: Dennis Griffin <dgdev1024@gmail.com>
Date: Thu, 26 May 2022 15:54:28 -0400
Subject: [PATCH 3/3] Tidied up the sanitizing code.

Tidied up the HTML-sanitizing code.
- The regular expression to pick up HTML tags is now at the top of the file. (Line 2)
- When book titles are read from the database, they are first sanitized of any tags. (Line 16)
- When a book is selected and its title appears in the comment section, the title is again sanitized. (Line 36)
- When a book's comments are fetched from the database, the comments are sanitized as well. (Line 78)
---
 public/client.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/public/client.js b/public/client.js
index 75eeeaed..8941fbe3 100644
--- a/public/client.js
+++ b/public/client.js
@@ -1,3 +1,6 @@
+// Regular expression to pick up HTML/XML tags, in case of any cross-site scripting attempts.
+const tagRegex = /(?:\<\/?.+\>)/g;
+
 $(document).ready(function () {
   let items = [];
   let itemsRaw = [];
@@ -10,7 +13,7 @@ $(document).ready(function () {
         '<li class="bookItem" id="' +
           i +
           '">' +
-          val.title.replace(/(?\<\/?.+\>)/gi, "") +
+          val.title.replace(tagRegex, "") +   // If title in database has HTML tags, remove them.
           " - " +
           val.commentcount +
           " comments</li>"
@@ -30,7 +33,7 @@ $(document).ready(function () {
   $("#display").on("click", "li.bookItem", function () {
     $("#detailTitle").html(
       "<b>" +
-        itemsRaw[this.id].title +
+        itemsRaw[this.id].title.replace(tagRegex, "") +   // If title in database has HTML tags, remove them.
         "</b> (id: " +
         itemsRaw[this.id]._id +
         ")"
@@ -72,7 +75,7 @@ $(document).ready(function () {
 
   $("#bookDetail").on("click", "button.addComment", function () {
     let newComment = $("#commentToAdd").val();
-    newComment = newComment.replace(/(?\<\/?.+\>)/gi, "");
+    newComment = newComment.replace(tagRegex, ""); // Sanitize new comment before adding to the HTML below.
     $.ajax({
       url: "/api/books/" + this.id,
       type: "post",