fix: HTML syntax errors and XSS vulnerabilities (#2179)

Also add option to skip downloads to develop faster

Author: iamareebjamal

.gitignore

@@ -46,4 +46,6 @@ jspm_packages
 /uploads
 /mockjson
 
-configmap.yml.secret
+configmap.yml.secret
+
+.tool-versions

src/backend/dist.js

@@ -19,7 +19,15 @@ const uploadsPath = __dirname + '/../../uploads';
 const mockPath = __dirname + '/../../mockjson';
 let width, height, ratio, padding, diffHeight, qualityMultiplier, filePath, fileData, hashString, counter;
 
+const skipDownload = process.env.SKIP_DOWNLOAD === 'true';
+
 const downloadFile = function(url, file_path, next) {
+  if (skipDownload) {
+    console.log('skipped')
+    next();
+    return;
+  }
+
   const fileStream = fs.createWriteStream(file_path);
 
   fileStream.on('error', function(err) {

src/backend/templates/event.hbs

@@ -71,7 +71,7 @@
               <div class="col-md-4">
               </div>
               <div class="ticket-button-container col-md-8">
-                <a href="{{{eventurls.register}}}" id="ticket-button" class="pull-right btn btn-lg btn-primary" role="button">Tickets</a>
+                <a href="{{eventurls.register}}" id="ticket-button" class="pull-right btn btn-lg btn-primary" role="button">Tickets</a>
               </div>
             </div>
           </div>
@@ -105,9 +105,9 @@
                         <div class="speaker">
                           <div class="image-holder">
                             {{#if photo}}
-                              <img onError="this.onerror=null;this.src='./images/avatar.png';" data-original="{{{photo}}}" class="lazy background-image display-block" alt="{{{name}}}">
+                              <img onError="this.onerror=null;this.src='./images/avatar.png';" data-original="{{photo}}" class="lazy background-image display-block" alt="{{name}}">
                             {{else}}
-                              <img class="background-image display-block" alt="{{{name}}}" src="images/avatar.png"/>
+                              <img class="background-image display-block" alt="{{name}}" src="images/avatar.png"/>
                             {{/if}}
                             <div class="responsive-overlay">
                               <div class="hover-state text-center preserve3d">
@@ -154,7 +154,7 @@
           <div class="tweet-row">
             <div class="col-sm-12 col-md-12 col-xs-12">
               <i class ="social_twitter fa fa-twitter"></i>
-              <div class="tweets-feed" id="tweets" data-count=50 data-query="{{{eventurls.twitterLink}}}" data-from="{{{eventurls.twitterLink}}}">
+              <div class="tweets-feed" id="tweets" data-count=50 data-query="{{eventurls.twitterLink}}" data-from="{{eventurls.twitterLink}}">
                 <div class="arrow-up"></div>
                 <p id="tweet" class="tweet">
                   Loading...
@@ -195,12 +195,12 @@
               <div class="row">
                 {{#each sponsorpics}}
                   {{#each this}}
-                    <div class="sponsor-row-text {{{divclass}}}">
-                      <div class=" {{{sponsorimg}}} text-center">
-                        <a href="{{{url}}}" data-toggle="tooltip" title="{{{type}}}">
-                          <img class="lazy centre {{{imgsize}}}" alt="{{{name}}}" data-original="{{{logo}}}">
+                    <div class="sponsor-row-text {{divclass}}">
+                      <div class="{{sponsorimg}} text-center">
+                        <a href="{{url}}" data-toggle="tooltip" title="{{type}}">
+                          <img class="lazy centre {{imgsize}}" alt="{{name}}" data-original="{{logo}}">
                         </a>
-                        {{{name}}}
+                        {{name}}
                       </div>
                     </div>
                   {{/each}}
@@ -235,7 +235,7 @@
       {{/if}}
     {{/if}}
 
-    <input type="hidden" id="mappos" value="{{{eventurls.latitude}}},{{{eventurls.longitude}}}"/>
+    <input type="hidden" id="mappos" value="{{eventurls.latitude}},{{eventurls.longitude}}"/>
     <input type="hidden" id="theme" value={{theme}} />
     <input type="hidden" id="mapType" value={{map}} />
 

src/backend/templates/partials/footer.hbs

@@ -7,7 +7,7 @@
           <ul class="menu">
             <li><a target="_self" href="index.html#description">About</a></li>
             {{#if eventurls.register}}
-            <li><a target="_self" href="{{{eventurls.register}}}">Tickets</a></li>
+            <li><a target="_self" href="{{eventurls.register}}">Tickets</a></li>
             {{/if}}
             {{#if timeList}}
             <li><a target="_self" href="schedule.html">Schedule</a></li>
@@ -31,15 +31,15 @@
           {{#if copyright}}
             {{#if copyright.licence}}
               <p>
-                <a href="{{{copyright.licence_url}}}"><img src="{{{copyright.logo}}}"></a>
+                <a href="{{copyright.licence_url}}"><img src="{{copyright.logo}}"></a>
          &nbsp;       &copy; {{copyright.year}}
                 {{#if copyright.holder_url}}
-                  <a href="{{{copyright.holder_url}}}">{{copyright.holder}}.</a>
+                  <a href="{{copyright.holder_url}}">{{copyright.holder}}.</a>
                 {{else}}
                   {{copyright.holder}}.
                 {{/if}}
                 The website and its contents are licensed under
-                <a href="{{{copyright.licence_url}}}"> {{copyright.licence}}. </a>
+                <a href="{{copyright.licence_url}}"> {{copyright.licence}}. </a>
                 The site was generated using the Open Event format on the <a href="https://eventyay.com/">eventyay</a> <a href="https://webgen.eventyay.com/">site generator</a>. Please submit issues <a href="https://github.com/fossasia/open-event-webapp/issues">here</a>.
               </p>
             {{/if}}
@@ -60,7 +60,7 @@
         {{#if eventurls.location}}
         <li class="address">
         <i class="fa fa-map-marker"></i>
-          <div>{{{eventurls.orgname}}}&#44;&nbsp;{{eventurls.location}}</div>
+          <div>{{eventurls.orgname}}&#44;&nbsp;{{eventurls.location}}</div>
         </li>
         {{/if}}
       </ul>
@@ -71,7 +71,7 @@
       <ul class="social-profiles">
         {{#sociallinks}}
           {{#if show}}
-            <li class="pull-left social-icons"><a href="{{link}}" id="social-icons"><i class="fa fa-lg fa-{{icon}}" aria-hidden="true" title="{{{icon}}}"></i></a></li>
+            <li class="pull-left social-icons"><a href="{{link}}" id="social-icons"><i class="fa fa-lg fa-{{icon}}" aria-hidden="true" title="{{icon}}"></i></a></li>
           {{/if}}
         {{/sociallinks}}
       </ul>

src/backend/templates/partials/navbar.hbs

@@ -22,7 +22,7 @@
         <ul class="dropdown-menu list-menu">
           {{#sociallinks}}
             {{#if show}}
-              <li><a href="{{link}}" id="social-icons"><i class="fa fa-lg fa-{{icon}}" aria-hidden="true" title="{{{icon}}}"></i></a></li>
+              <li><a href="{{link}}" id="social-icons"><i class="fa fa-lg fa-{{icon}}" aria-hidden="true" title="{{icon}}"></i></a></li>
             {{/if}}
           {{/sociallinks}}
         </ul>
@@ -115,7 +115,7 @@
 
         {{#sociallinks}}
           {{#if show}}
-            <li class="pull-left social-icons"><a href="{{link}}" id="social-icons"><i class="fa fa-lg fa-{{icon}}" aria-hidden="true" title="{{{icon}}}"></i></a></li>
+            <li class="pull-left social-icons"><a href="{{link}}" id="social-icons"><i class="fa fa-lg fa-{{icon}}" aria-hidden="true" title="{{icon}}"></i></a></li>
           {{/if}}
         {{/sociallinks}}
 

src/backend/templates/rooms.hbs

@@ -184,7 +184,7 @@
                                 <div class="margin-down-15">{{title}}
                                 </div>
                                 <div id="desc2-{{session_id}}" class="collapse in"
-                                  style="background-color:{{{color}}}; color: {{{font_color}}};">
+                                  style="background-color:{{color}}; color: {{font_color}};">
                                   <div class="row">
                                     {{#if speakers_list.length}}
                                       <div class="speakers-list">
@@ -257,22 +257,22 @@
                                     <div class="blacktext session-speaker-social margin-down-10">
                                       <div class="session-speakers-more">
                                         {{#if website}}
-                                          <a class="blacktext social speaker-social" href="{{{website}}}"}>
+                                          <a class="blacktext social speaker-social" href="{{website}}"}>
                                             <i class="fa fa-home"></i> Web
                                           </a>&nbsp;
                                         {{/if}}
                                         {{#if github}}
-                                          <a class="blacktext social speaker-social" href="{{{github}}}"}>
+                                          <a class="blacktext social speaker-social" href="{{github}}"}>
                                             <i class="fa fa-github"></i> Github
                                           </a>&nbsp;
                                         {{/if}}
                                         {{#if twitter}}
-                                          <a class="blacktext social speaker-social" href="{{{twitter}}}"}>
+                                          <a class="blacktext social speaker-social" href="{{twitter}}"}>
                                             <i class="fa fa-twitter"></i> Twitter
                                           </a>&nbsp;
                                         {{/if}}
                                         {{#if linkedin}}
-                                          <a class="blacktext social speaker-social" href="{{{linkedin}}}"}>
+                                          <a class="blacktext social speaker-social" href="{{linkedin}}"}>
                                             <i class="fa fa-linkedin"></i> LinkedIn
                                           </a>&nbsp;
                                         {{/if}}
@@ -307,7 +307,7 @@
                                     {{/if}}
                                     <p>
                                       <ul class="title-inline">
-                                        <li style="background-color:{{{color}}}; color: {{{font_color}}};" class="titlecolor"></li>&nbsp;
+                                        <li style="background-color:{{color}}; color: {{font_color}};" class="titlecolor"></li>&nbsp;
                                         <li class="blacktext track-name">{{tracktitle}}</li>
                                       </ul>
                                     </p><br>