From a3fb2c002c1b8a0b815d8d8ae1e8e08b0cf6d3f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Fri, 15 May 2015 11:08:51 +0200
Subject: [PATCH] FIX: remove dangerous support for style/background attributes
 in polls

---
 .../javascripts/components/poll-option.js.es6 | 10 +---------
 .../components/poll-results-standard.js.es6   | 11 +++--------
 .../components/poll-results-standard.hbs      |  2 +-
 .../javascripts/discourse/templates/poll.hbs  |  2 +-
 .../poll/assets/javascripts/poll_dialect.js   | 19 ++-----------------
 5 files changed, 8 insertions(+), 36 deletions(-)

diff --git a/plugins/poll/assets/javascripts/components/poll-option.js.es6 b/plugins/poll/assets/javascripts/components/poll-option.js.es6
index fdc10663143..96f7e36cdc6 100644
--- a/plugins/poll/assets/javascripts/components/poll-option.js.es6
+++ b/plugins/poll/assets/javascripts/components/poll-option.js.es6
@@ -1,6 +1,6 @@
 export default Em.Component.extend({
   tagName: "li",
-  attributeBindings: ["data-poll-option-id", "data-poll-selected", "style"],
+  attributeBindings: ["data-poll-option-id", "data-poll-selected"],
 
   "data-poll-option-id": Em.computed.alias("option.id"),
 
@@ -8,14 +8,6 @@ export default Em.Component.extend({
     return this.get("option.selected") ? "selected" : false;
   }.property("option.selected"),
 
-  style: function() {
-    var styles = [];
-    if (this.get("color")) { styles.push("color:" + this.get("color")); }
-    if (this.get("background")) { styles.push("background:" + this.get("background")); }
-
-    return (styles.length > 0 ? styles.join(";") : '').htmlSafe();
-  }.property("color", "background"),
-
   render(buffer) {
     buffer.push(this.get("option.html"));
   },
diff --git a/plugins/poll/assets/javascripts/components/poll-results-standard.js.es6 b/plugins/poll/assets/javascripts/components/poll-results-standard.js.es6
index dd778026f7c..13ae2798452 100644
--- a/plugins/poll/assets/javascripts/components/poll-results-standard.js.es6
+++ b/plugins/poll/assets/javascripts/components/poll-results-standard.js.es6
@@ -3,19 +3,14 @@ export default Em.Component.extend({
   classNames: ["results"],
 
   options: function() {
-    const voters = this.get("poll.voters"),
-          backgroundColor = this.get("poll.background");
+    const voters = this.get("poll.voters");
 
     this.get("poll.options").forEach(option => {
-      const percentage = voters === 0 ? 0 : Math.floor(100 * option.get("votes") / voters),
-            styles = ["width: " + percentage + "%"];
-
-      if (backgroundColor) { styles.push("background: " + backgroundColor); }
+      const percentage = voters === 0 ? 0 : Math.floor(100 * option.get("votes") / voters);
 
       option.setProperties({
         percentage,
-        title: I18n.t("poll.option_title", { count: option.get("votes") }),
-        style: styles.join(";").htmlSafe()
+        title: I18n.t("poll.option_title", { count: option.get("votes") })
       });
     });
 
diff --git a/plugins/poll/assets/javascripts/discourse/templates/components/poll-results-standard.hbs b/plugins/poll/assets/javascripts/discourse/templates/components/poll-results-standard.hbs
index 4f29d18dac4..cb0ca7f225b 100644
--- a/plugins/poll/assets/javascripts/discourse/templates/components/poll-results-standard.hbs
+++ b/plugins/poll/assets/javascripts/discourse/templates/components/poll-results-standard.hbs
@@ -5,7 +5,7 @@
   </tr>
   <tr>
     <td colspan="2" class="bar-back">
-      <div class="bar" style={{option.style}}></div>
+      <div class="bar"></div>
     </td>
   </tr>
 {{/each}}
diff --git a/plugins/poll/assets/javascripts/discourse/templates/poll.hbs b/plugins/poll/assets/javascripts/discourse/templates/poll.hbs
index 4d6b3bae163..e9c89f8d351 100644
--- a/plugins/poll/assets/javascripts/discourse/templates/poll.hbs
+++ b/plugins/poll/assets/javascripts/discourse/templates/poll.hbs
@@ -9,7 +9,7 @@
     {{else}}
       <ul>
         {{#each option in poll.options}}
-          {{poll-option option=option color=poll.color background=poll.background toggle="toggleOption"}}
+          {{poll-option option=option toggle="toggleOption"}}
         {{/each}}
       </ul>
     {{/if}}
diff --git a/plugins/poll/assets/javascripts/poll_dialect.js b/plugins/poll/assets/javascripts/poll_dialect.js
index 40b0b6cf37e..87df9056180 100644
--- a/plugins/poll/assets/javascripts/poll_dialect.js
+++ b/plugins/poll/assets/javascripts/poll_dialect.js
@@ -5,8 +5,7 @@
   const DATA_PREFIX = "data-poll-";
   const DEFAULT_POLL_NAME = "poll";
 
-  const WHITELISTED_ATTRIBUTES = ["type", "name", "min", "max", "step", "order", "color", "background", "status"];
-  const WHITELISTED_STYLES = ["color", "background"];
+  const WHITELISTED_ATTRIBUTES = ["type", "name", "min", "max", "step", "order", "status"];
 
   const ATTRIBUTES_REGEX = new RegExp("(" + WHITELISTED_ATTRIBUTES.join("|") + ")=['\"]?[^\\s\\]]+['\"]?", "g");
 
@@ -81,21 +80,9 @@
 
       // TODO: remove non whitelisted content
 
-      // generate <li> styles (if any)
-      var styles = [];
-      WHITELISTED_STYLES.forEach(function(style) {
-        if (attributes[DATA_PREFIX + style]) {
-          styles.push(style + ":" + attributes[DATA_PREFIX + style]);
-        }
-      });
-
-      var style = styles.join(";");
-
-      // add option id (hash) + style
+      // add option id (hash)
       for (o = 1; o < contents[0].length; o++) {
         var attr = {};
-        // apply styles if any
-        if (style.length > 0) { attr["style"] = style; }
         // compute md5 hash of the content of the option
         attr[DATA_PREFIX + "option-id"] = md5(JSON.stringify(contents[0][o].slice(1)));
         // store options attributes
@@ -178,6 +165,4 @@
   Discourse.Markdown.whiteListTag("a", "class", /^button (cast-votes|toggle-results)/);
 
   Discourse.Markdown.whiteListTag("li", "data-*");
-  Discourse.Markdown.whiteListTag("li", "style", /^(color=#?\w+;)?(background=#?\w+;)?$/);
-
 })();