wtf is xss?

src/wanijo/framework/view.clj

@@ -1,7 +1,8 @@
 (ns wanijo.framework.view
-  (:require [hiccup.page :refer
+  (:require [hiccup
-             [html5 include-css include-js]]
+             [page :refer [html5 include-js include-css]]
-            [hiccup.form :as hform]
+             [form :as hform]
+             [core :refer [h]]]
             [wanijo.framework.routing :refer [path]]))
 
 (defn btnlink
@@ -47,7 +48,8 @@
          (when authed?
            [:small.app-title__hello
             "Hi, "
-            [:a {:href (path :user-profile)} ident]])]
+            [:a {:href (path :user-profile)}
+             (h ident)]])]
         (when authed?
           [:section.header-content
            (btnlink (path :schema-overview)
@@ -64,7 +66,7 @@
             (for [schema (:schemas session)]
               [:li [:a {:href (path :instance-list
                                     {:schema-uuid (:uuid schema)})}
-                    (:name schema)]])]])]
+                    (h (:name schema))]])]])]
        (into [:main
               (for [msg (:flash request)]
                 (flash-error msg))]

src/wanijo/instance/view.clj

@@ -1,5 +1,7 @@
 (ns wanijo.instance.view
-  (:require [hiccup.form :as hform]
+  (:require [hiccup
+             [form :as hform]
+             [core :refer [h]]]
             [ring.util.anti-forgery :refer [anti-forgery-field]]
             [formulare.core :as form]
             [wanijo.instance.domain :as domain]
@@ -12,7 +14,7 @@
    :request req
    :content
    [[:h1 "All Instances of schema "
-     [:span.schema-title__name (:name schema)]]
+     [:span.schema-title__name (h (:name schema))]]
     [:table
      [:thead
       [:tr
@@ -24,7 +26,7 @@
         [:tr
          [:td
           [:a {:href (path :instance-show instance)}
-           (:name instance)]]
+           (h (:name instance))]]
          [:td (prettify-dt (:updated_at instance))]
          [:td (prettify-dt (:created_at instance))]])]]
     [:h1 "New Instance"]
@@ -39,9 +41,9 @@
    :request req
    :content
    [[:h1
-     (-> instance :schema :name)
+     (h (-> instance :schema :name))
      " "
-     [:small (:name instance)]]
+     [:small (h (:name instance))]]
     [:p
      [:small [:a {:href (path :instance-edit-form instance)}
               "Edit Instance"]]]
@@ -49,14 +51,17 @@
           :let [auuid (:uuid attr)
                 prop (first (filter #(= auuid (-> % :attribute :uuid))
                                     (:properties instance)))]]
-      (list [:em (:name attr)]
+      (list [:em (h (:name attr))]
-            [:p (:value prop)]))]))
+            [:p (h (:value prop))]))]))
 
 (defn edit! [instance form form-data req]
   (view/layout!
    :request req
    :content
-   [[:h1 (:name instance)]
+   [[:h1
+     (h (-> instance :schema :name))
+     " "
+     [:small (h (:name instance))]]
     (hform/form-to [:post (path :instance-edit instance)]
                    (form/render-widgets form form-data req)
                    (hform/submit-button "Edit!"))]))

src/wanijo/schema/view.clj

@@ -1,5 +1,7 @@
 (ns wanijo.schema.view
-  (:require [hiccup.form :as hform]
+  (:require [hiccup
+             [form :as hform]
+             [core :refer [h]]]
             [ring.util.anti-forgery :refer [anti-forgery-field]]
             [formulare.core :as form]
             [wanijo.framework.view :as view]
@@ -26,7 +28,7 @@
           [:tr
            [:td
             [:a {:href (path :schema-show schema)}
-             (:name schema)]]
+             (h (:name schema))]]
            [:td
             (prettify-dt (:created_at schema))]])]]
       [:h1 "New schema"]