Merge pull request #3763 from overleaf/jpa-xss-7

[views] mitigate XSS on new subscription page

GitOrigin-RevId: 74baa58527aa9b2f9e434c280885b627f73898b6

services/web/app/src/Features/Subscription/SubscriptionController.js

@@ -121,21 +121,17 @@ module.exports = SubscriptionController = {
                   }
                   return res.render('subscriptions/new', {
                     title: 'subscribe',
-                    plan_code: req.query.planCode,
                     currency,
                     countryCode,
                     plan,
-                    showStudentPlan: req.query.ssp,
+                    showStudentPlan: req.query.ssp === 'true',
                     recurlyConfig: JSON.stringify({
                       currency,
                       subdomain: Settings.apis.recurly.subdomain
                     }),
-                    showCouponField: req.query.scf,
-                    showVatField: req.query.svf,
-                    couponCode: req.query.cc || '',
-                    gaOptimize: true,
-                    ITMCampaign: req.query.itm_campaign,
-                    ITMContent: req.query.itm_content
+                    showCouponField: !!req.query.scf,
+                    showVatField: !!req.query.svf,
+                    gaOptimize: true
                   })
                 }
               )

services/web/app/views/subscriptions/new.pug

@@ -3,13 +3,9 @@ extends ../layout
 block head-scripts
 	script(src="https://js.recurly.com/v4/recurly.js")
 	script(type='text/javascript').
-		window.countryCode = '#{countryCode}'
-		window.plan_code = '#{plan_code}'
+		window.countryCode = !{StringHelper.stringifyJsonForScript(countryCode || '')}
 		window.recurlyApiKey = "!{settings.apis.recurly.publicKey}"
-		window.couponCode = !{StringHelper.stringifyJsonForScript(couponCode)}
-		window.recomendedCurrency = !{StringHelper.stringifyJsonForScript(currency.slice(0,3))}
-		window.ITMCampaign = '#{ITMCampaign}'
-		window.ITMContent = '#{ITMContent}'
+		window.recomendedCurrency = !{StringHelper.stringifyJsonForScript(String(currency).slice(0,3))}
 
 block content
 	main.content.content-alt
@@ -186,7 +182,7 @@ block content
 															required
 														)
 														span.input-feedback-message  {{ simpleCCForm.address1.$error.required ? 'This field is required' : '' }}
-											
+
 											.row
 												.col-xs-12
 													.form-group.has-feedback(ng-class="validation.errorFields.address2 ? 'has-external-error' : ''")
@@ -198,7 +194,7 @@ block content
 															name="address2"
 															ng-model="data.address2"
 														)
-												
+
 											.row
 												.col-xs-4
 													.form-group(ng-class="validation.errorFields.postal_code || inputHasError(simpleCCForm.postalCode) ? 'has-external-error' : ''")
@@ -212,7 +208,7 @@ block content
 															required
 														)
 														span.input-feedback-message  {{ simpleCCForm.postalCode.$error.required ? 'This field is required' : '' }}
-												
+
 												.col-xs-8
 													.form-group(ng-class="validation.errorFields.country || inputHasError(simpleCCForm.country) ? 'has-external-error' : ''")
 														label(for="country") #{translate('country')}
@@ -317,7 +313,7 @@ block content
 
 
 				.col-md-3.col-md-pull-4
-					if showStudentPlan == 'true'
+					if showStudentPlan
 						a.btn-primary.btn.plansPageStudentLink(
 							href,
 							ng-click="switchToStudent()"

services/web/frontend/js/main/new-subscription.js

@@ -11,8 +11,14 @@ export default App.controller('NewSubscriptionController', function(
   $scope,
   MultiCurrencyPricing,
   $http,
+  $location,
   eventTracking
 ) {
+  window.couponCode = $location.search().cc || ''
+  window.plan_code = $location.search().planCode || ''
+  window.ITMCampaign = $location.search().itm_campaign || ''
+  window.ITMContent = $location.search().itm_content || ''
+
   if (typeof recurly === 'undefined' || !recurly) {
     $scope.recurlyLoadError = true
     return