From 95b2ad9333a2d28dc67e4b568373cf6e8770d51f Mon Sep 17 00:00:00 2001
From: Koen Deforche <koen@emweb.be>
Date: Wed, 13 Jul 2016 14:27:26 +0200
Subject: [PATCH] Two vunlerability fixes:

    - Fix #9095 XSS vulnerability
    - Fix #5094 DoS vulnerability
---
 examples/wt-homepage/Home.C | 5 +++--
 src/web/WebRenderer.C       | 9 +++++++--
 src/web/WebRenderer.h       | 2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/examples/wt-homepage/Home.C b/examples/wt-homepage/Home.C
index af88aadfa8..e441fdd336 100644
--- a/examples/wt-homepage/Home.C
+++ b/examples/wt-homepage/Home.C
@@ -425,7 +425,8 @@ WString Home::tr(const char *key)
 
 void Home::googleAnalyticsLogger()
 {
-  doJavaScript("if (window.ga) ga('send','pageview','"
-	       + environment().deploymentPath() + internalPath() + "');");
+  doJavaScript("if (window.ga) ga('send','pageview',"
+	       + WWebWidget::jsStringLiteral(environment().deploymentPath() 
+					     + internalPath()) + ");");
 }
 
diff --git a/src/web/WebRenderer.C b/src/web/WebRenderer.C
index 5e79c260f8..fca8ac48d9 100644
--- a/src/web/WebRenderer.C
+++ b/src/web/WebRenderer.C
@@ -106,6 +106,7 @@ WebRenderer::WebRenderer(WebSession& session)
     pageId_(0),
     expectedAckId_(0),
     scriptId_(0),
+    ackErrs_(0),
     linkedCssCount_(-1),
     currentStatelessSlotIsActuallyStateless_(true),
     formObjectsChanged_(true),
@@ -211,10 +212,12 @@ bool WebRenderer::ackUpdate(int updateId)
     LOG_DEBUG("jsSynced(false) after ackUpdate okay");
     setJSSynced(false);
     ++expectedAckId_;
+    ackErrs_ = 0;
     return true;
   } else if ((updateId < expectedAckId_ && expectedAckId_ - updateId < 5)
 	     || (expectedAckId_ - 5 < updateId)) {
-    return true; // That's still acceptible but no longer plausible
+    ++ackErrs_;
+    return ackErrs_ < 3; // That's still acceptible but no longer plausible
   } else
     return false;
 }
@@ -342,6 +345,7 @@ void WebRenderer::streamBootContent(WebResponse& response,
   bootJs.setVar("SESSION_ID", session_.sessionId());
 
   expectedAckId_ = scriptId_ = WRandom::get();
+  ackErrs_ = 0;
 
   bootJs.setVar("SCRIPT_ID", scriptId_);
   bootJs.setVar("RANDOMSEED", WRandom::get());
@@ -351,7 +355,7 @@ void WebRenderer::streamBootContent(WebResponse& response,
   bootJs.setVar("AJAX_CANONICAL_URL",
 		safeJsStringLiteral(session_.ajaxCanonicalUrl(response)));
   bootJs.setVar("APP_CLASS", "Wt");
-  bootJs.setVar("PATH_INFO", WWebWidget::jsStringLiteral
+  bootJs.setVar("PATH_INFO", safeJsStringLiteral
 		(session_.pagePathInfo_));
 
   bootJs.setCondition("COOKIE_CHECKS", conf.cookieChecks());
@@ -884,6 +888,7 @@ void WebRenderer::serveMainscript(WebResponse& response)
     }
   } else {
     expectedAckId_ = scriptId_ = WRandom::get();
+    ackErrs_ = 0;
   }
 
   WApplication *app = session_.app();
diff --git a/src/web/WebRenderer.h b/src/web/WebRenderer.h
index 5746bc8529..870f256295 100644
--- a/src/web/WebRenderer.h
+++ b/src/web/WebRenderer.h
@@ -104,7 +104,7 @@ class WT_API WebRenderer : public Wt::SlotLearnerInterface
   WebSession& session_;
 
   bool visibleOnly_, rendered_, initialStyleRendered_;
-  int twoPhaseThreshold_, pageId_, expectedAckId_, scriptId_;
+  int twoPhaseThreshold_, pageId_, expectedAckId_, scriptId_, ackErrs_;
   int linkedCssCount_;
   std::string solution_;