From 091bb382c864c1714d219ee9c5019cdbe2cc8496 Mon Sep 17 00:00:00 2001
From: Rikuoh Tsujitani <mail@riq0h.jp>
Date: Wed, 14 Aug 2024 14:22:10 +0900
Subject: [PATCH] =?UTF-8?q?XSS=E5=AF=BE=E7=AD=96=E3=81=AE=E6=96=B9?=
 =?UTF-8?q?=E6=B3=95=E3=82=92=E5=A4=89=E6=9B=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 memoapp/app.rb              | 20 ++++++++------------
 memoapp/views/edit.erb      |  4 ++--
 memoapp/views/index.erb     |  2 +-
 memoapp/views/not_found.erb | 15 +++------------
 memoapp/views/show.erb      |  4 ++--
 5 files changed, 16 insertions(+), 29 deletions(-)

diff --git a/memoapp/app.rb b/memoapp/app.rb
index 486f9ab..34977c7 100644
--- a/memoapp/app.rb
+++ b/memoapp/app.rb
@@ -4,26 +4,22 @@ require 'sinatra'
 require 'sinatra/reloader'
 require 'json'
 require 'securerandom'
-require 'rack/protection'
-require 'rack/utils'
+require 'cgi'
 
-use Rack::Protection
+FILE_PATH = 'memos.json'
 
 helpers do
-  include Rack::Utils
-  alias_method :h, :escape_html
+  def h(text)
+    CGI.escapeHTML(text.to_s)
+  end
 end
 
-FILE_PATH = 'memos.json' # publicフォルダから移動
-
 def load_memos
-  if File.exist?(FILE_PATH) && !File.zero?(FILE_PATH)
+  if !File.zero?(FILE_PATH)
     JSON.parse(File.read(FILE_PATH))
   else
     {}
   end
-rescue JSON::ParserError
-  {}
 end
 
 def save_memos(memos)
@@ -48,7 +44,7 @@ end
 post '/memos' do
   memos = load_memos
   id = SecureRandom.uuid
-  memos[id] = { 'title' => h(params[:title]), 'content' => h(params[:content]) }
+  memos[id] = { 'title' => params[:title], 'content' => params[:content] }
   save_memos(memos)
   redirect '/memos'
 end
@@ -68,7 +64,7 @@ end
 patch '/memos/:id' do
   memos = load_memos
   halt 404, erb(:not_found) unless memos[params[:id]]
-  memos[params[:id]] = { 'title' => h(params[:title]), 'content' => h(params[:content]) }
+  memos[params[:id]] = { 'title' => params[:title], 'content' => params[:content] }
   save_memos(memos)
   redirect "/memos/#{params[:id]}"
 end
diff --git a/memoapp/views/edit.erb b/memoapp/views/edit.erb
index 54c58b0..5f940d7 100644
--- a/memoapp/views/edit.erb
+++ b/memoapp/views/edit.erb
@@ -1,8 +1,8 @@
 <form action="/memos/<%= params[:id] %>" method="post">
 <input type="hidden" name="_method" value="patch">
 <label for="title">タイトル</label>
-<input type="text" name="title" id="title" value="<%= @memo["title"] %>">
+<input type="text" name="title" id="title" value="<%= h(@memo['title']) %>">
 <label for="content">内容</label>
-<textarea name="content" id="content"><%= @memo["content"] %></textarea>
+<textarea name="content" id="content"><%= h(@memo['content']) %></textarea>
 <button type="submit" class="edit">変更</button>
 </form>
diff --git a/memoapp/views/index.erb b/memoapp/views/index.erb
index 47b644e..ee2eee6 100644
--- a/memoapp/views/index.erb
+++ b/memoapp/views/index.erb
@@ -1,5 +1,5 @@
 <ul class="memo-list">
 <% @memos.each do |id, memo| %>
-  <li><a href="/memos/<%= id %>"><%= memo["title"] %></a></li>
+  <li><a href="/memos/<%= id %>"><%= h(memo["title"]) %></a></li>
 <% end %>
 </ul>
diff --git a/memoapp/views/not_found.erb b/memoapp/views/not_found.erb
index c956bab..5bb9ea4 100644
--- a/memoapp/views/not_found.erb
+++ b/memoapp/views/not_found.erb
@@ -1,12 +1,3 @@
-<!DOCTYPE html>
-<html lang="ja">
-<head>
-  <meta charset="UTF-8">
-  <title>404 Not Found</title>
-</head>
-<body>
-  <h1>404 Not Found</h1>
-  <p>お探しのページは見つかりませんでした。</p>
-  <a href="/memos">メモ一覧に戻る</a>
-</body>
-</html>
+<h1>404 Not Found</h1>
+<p>お探しのページは見つかりませんでした。</p>
+<a href="/">トップページに戻る</a>
diff --git a/memoapp/views/show.erb b/memoapp/views/show.erb
index 77a4af4..e3bf232 100644
--- a/memoapp/views/show.erb
+++ b/memoapp/views/show.erb
@@ -1,5 +1,5 @@
-<h2><%= @memo["title"] %></h2>
-<p><%= @memo["content"] %></p>
+<h2><%= h(@memo['title']) %></h2>
+<p><%= h(@memo['content']) %></p>
 <div class="memo-actions">
   <form action="/memos/<%= params[:id] %>/edit" method="get">
     <button type="submit" class="edit">変更</button>