Merge pull request #17 from teresita-guerrero/issue6

XSS via User Story JSON file -- First approach
Fixes #6

Author: arturonuman

dashboard-project-api/common/models/userStory.js

@@ -8,12 +8,12 @@ module.exports = function(UserStory) {
   var async = require("async");
   var htmlparser = require("htmlparser");
   var cheerio = require('cheerio');
+  var xssFilters = require("xss-filters");
   const SPEC_URL = "http://specs.openstack.org/openstack/openstack-user-stories/user-stories/proposed/";
 
 
   var blueprintsResume = [];
 
-
   var getAllfiles = function(){
     return  fs.readdirSync(route)
       .map(function(file){
@@ -29,11 +29,12 @@ module.exports = function(UserStory) {
     var userStories = getAllfiles();
     //filter by Id
     var file = userStories.filter(function(item){
-      return item.id == id;
+        // VALIDATE IF A VALID ID IS COMING!
+        console.log("my id",xssFilters.inHTMLData(id));
+      return item.id == xssFilters.inHTMLData(id);
     })
 
     file = (file.length > 0)?file[0]:null;
-
     return file;
 
   };
@@ -48,15 +49,19 @@ module.exports = function(UserStory) {
     userStory.tasks.forEach(function (taskName, index, array) {
 
         var task = userStory.tasks_status[taskName];
+        console.log("La tarea es:", task);
 
         task.projects.forEach(function (projectName, index, array) {
-
-          var blueprints = task.projects_status[projectName].blueprints;
+            console.log("The project name is, ", projectName);
+            //VALIDATE projectName EXISTS
+          var blueprints = task.projects_status[xssFilters.inHTMLData(projectName)].blueprints;
           var blueprintNames = Object.keys(blueprints);
 
           blueprintNames.forEach(function (blueprintName, index, array) {
-
-            if (blueprints[blueprintName] == 'completed')
+              console.log("single blueprint: ",blueprintName);
+              console.log("el nombre del blue print es: ", blueprints[blueprintName]);
+              // VALIDATE PROPERLY if this statement is not true
+            if (blueprints[xssFilters.inHTMLData(blueprintName)] == 'completed')
               blueprintsResume.completed = blueprintsResume.completed + 1;
 
             blueprintsResume.total = blueprintsResume.total + 1;
@@ -316,10 +321,10 @@ module.exports = function(UserStory) {
 
             var itemResult = {
               completed: getbluePrintResume(userStory),
-              dateCreated: userStory.date,
-              lastUpdate: lastUpdated,
-              userStory: userStory.description,
-              id:userStory.id
+              dateCreated: xssFilters.inHTMLData(userStory.date),
+              lastUpdate: xssFilters.inHTMLData(lastUpdated),
+              userStory: xssFilters.inHTMLData(userStory.description),
+              id:xssFilters.inHTMLData(userStory.id)
             };
 
             cb(null, itemResult);

dashboard-project-api/package.json

@@ -22,7 +22,8 @@
     "loopback-datasource-juggler": "^2.39.0",
     "markdown": "^0.5.0",
     "serve-favicon": "^2.0.1",
-    "underscore": "^1.8.3"
+    "underscore": "^1.8.3",
+    "xss-filters": "^1.2.7"
   },
   "devDependencies": {
     "jshint": "^2.5.6",