juice-shop
76 строк · 2.0 Кб
1/*2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.3* SPDX-License-Identifier: MIT4*/5/* jslint node: true */7import * as utils from '../lib/utils'8import * as challengeUtils from '../lib/challengeUtils'9import {10Model,11type InferAttributes,12type InferCreationAttributes,13DataTypes,14type CreationOptional,15type Sequelize16} from 'sequelize'17import { challenges } from '../data/datacache'18import * as security from '../lib/insecurity'19}29const FeedbackModelInit = (sequelize: Sequelize) => {30Feedback.init(31{32UserId: {33type: DataTypes.INTEGER34},35id: {36type: DataTypes.INTEGER,37primaryKey: true,38autoIncrement: true39},40comment: {41type: DataTypes.STRING,42set (comment: string) {43let sanitizedComment: string44if (utils.isChallengeEnabled(challenges.persistedXssFeedbackChallenge)) {45sanitizedComment = security.sanitizeHtml(comment)46challengeUtils.solveIf(challenges.persistedXssFeedbackChallenge, () => {47return utils.contains(48sanitizedComment,49'<iframe src="javascript:alert(`xss`)">'50)51})52} else {53sanitizedComment = security.sanitizeSecure(comment)54}55this.setDataValue('comment', sanitizedComment)56}57},58rating: {59type: DataTypes.INTEGER,60allowNull: false,61set (rating: number) {62this.setDataValue('rating', rating)63challengeUtils.solveIf(challenges.zeroStarsChallenge, () => {64return rating === 065})66}67}68},69{70tableName: 'Feedbacks',71sequelize72}73)74}75