juice-shop
76 строк · 2.0 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6/* jslint node: true */
7import * as utils from '../lib/utils'8import * as challengeUtils from '../lib/challengeUtils'9import {10Model,11type InferAttributes,12type InferCreationAttributes,13DataTypes,14type CreationOptional,15type Sequelize16} from 'sequelize'17import { challenges } from '../data/datacache'18import * as security from '../lib/insecurity'19
20class Feedback extends Model<21InferAttributes<Feedback>,22InferCreationAttributes<Feedback>23> {24declare UserId: number | null25declare id: CreationOptional<number>26declare comment: string27declare rating: number28}
29const FeedbackModelInit = (sequelize: Sequelize) => {30Feedback.init(31{32UserId: {33type: DataTypes.INTEGER34},35id: {36type: DataTypes.INTEGER,37primaryKey: true,38autoIncrement: true39},40comment: {41type: DataTypes.STRING,42set (comment: string) {43let sanitizedComment: string44if (utils.isChallengeEnabled(challenges.persistedXssFeedbackChallenge)) {45sanitizedComment = security.sanitizeHtml(comment)46challengeUtils.solveIf(challenges.persistedXssFeedbackChallenge, () => {47return utils.contains(48sanitizedComment,49'<iframe src="javascript:alert(`xss`)">'50)51})52} else {53sanitizedComment = security.sanitizeSecure(comment)54}55this.setDataValue('comment', sanitizedComment)56}57},58rating: {59type: DataTypes.INTEGER,60allowNull: false,61set (rating: number) {62this.setDataValue('rating', rating)63challengeUtils.solveIf(challenges.zeroStarsChallenge, () => {64return rating === 065})66}67}68},69{70tableName: 'Feedbacks',71sequelize
72}73)74}
75
76export { Feedback as FeedbackModel, FeedbackModelInit }77