From 078d12bc0e26065d955f9297bf7f9031cd5104b3 Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Tue, 23 Feb 2021 18:17:45 +0200
Subject: [PATCH 1/2] Fixed XSS issue

---
 app/tasks/doctor.php                          |  1 -
 app/views/console/database/search/files.phtml |  1 +
 app/views/console/functions/function.phtml    |  2 +-
 app/views/console/home/index.phtml            | 10 +++++--
 app/views/console/storage/index.phtml         |  1 +
 public/dist/scripts/app-all.js                |  9 +++---
 public/dist/scripts/app.js                    |  9 +++---
 public/scripts/dependencies/litespeed.js      |  2 +-
 public/scripts/filters.js                     | 30 ++++++++++++++-----
 9 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/app/tasks/doctor.php b/app/tasks/doctor.php
index 2918d4f1e4..0f601bb5b5 100644
--- a/app/tasks/doctor.php
+++ b/app/tasks/doctor.php
@@ -139,7 +139,6 @@ $cli
             Console::success('SMTP................connected 👍');
         } catch (\Throwable $th) {
             Console::error('SMTP.............disconnected 👎');
-            var_dump($th);
         }
 
         $host = App::getEnv('_APP_STATSD_HOST', 'telegraf');
diff --git a/app/views/console/database/search/files.phtml b/app/views/console/database/search/files.phtml
index ac9f76e0ea..0a1b4d739c 100644
--- a/app/views/console/database/search/files.phtml
+++ b/app/views/console/database/search/files.phtml
@@ -64,6 +64,7 @@
                             </td>
                             <td data-title="Size: ">
                                 <span class="text-fade text-size-small" data-ls-bind="{{file.sizeOriginal|humanFileSize}}"></span>
+                                <span class="text-fade text-size-small" data-ls-bind="{{file.sizeOriginal|humanFileUnit}}"></span>
                             </td>
                             <td data-title="Created: ">
                                 <span class="text-fade text-size-small" data-ls-bind="{{file.dateCreated|dateText}}"></span>
diff --git a/app/views/console/functions/function.phtml b/app/views/console/functions/function.phtml
index 74960eba48..4ae65f491e 100644
--- a/app/views/console/functions/function.phtml
+++ b/app/views/console/functions/function.phtml
@@ -117,7 +117,7 @@ $usageStatsEnabled = $this->getParam('usageStatsEnabled',true);
                                             <b data-ls-bind="{{tag.$id}}"></b> &nbsp;
                                             <span class="text-fade" data-ls-bind="{{tag.command}}"></span>
                                             <div class="text-size-small margin-top-small clear">
-                                                <span class="pull-start" data-ls-bind="Created {{tag.dateCreated|timeSince}} &nbsp; | &nbsp; {{tag.size|humanFileSize}}"></span>
+                                                <span class="pull-start" data-ls-bind="Created {{tag.dateCreated|timeSince}} &nbsp; | &nbsp; {{tag.size|humanFileSize}}{{tag.size|humanFileUnit}}"></span>
 
                                                 <form data-ls-if="{{tag.$id}} !== {{project-function.tag}}" name="functions.deleteTag" class="pull-start"
                                                     data-analytics
diff --git a/app/views/console/home/index.phtml b/app/views/console/home/index.phtml
index e7164ebfde..1f3e95f1d9 100644
--- a/app/views/console/home/index.phtml
+++ b/app/views/console/home/index.phtml
@@ -97,7 +97,10 @@ $usageStatsEnabled = $this->getParam('usageStatsEnabled',true);
                         </div>
                     </div>
                     <div class="col span-3">
-                        <div class="value margin-bottom-small"><span class="sum" data-ls-bind="{{usage.network.total|humanFileSize}}" data-default="0">0</span></div>
+                        <div class="value margin-bottom-small">
+                            <span class="sum" data-ls-bind="{{usage.network.total|humanFileSize}}" data-default="0">0</span>
+                            <span data-ls-bind="{{usage.network.total|humanFileUnit}}" class="text-size-small unit"></span>
+                        </div>
                         <div class="metric margin-bottom-small">Bandwidth</div>
 
                         <div class="margin-top-large value small">
@@ -117,7 +120,10 @@ $usageStatsEnabled = $this->getParam('usageStatsEnabled',true);
                     <div class="margin-top-small"><b class="text-size-small unit">Documents</b></div>
                 </div>
                 <div class="col span-3">
-                    <div class="value"><span class="sum" data-ls-bind="{{usage.storage.total|humanFileSize}}" data-default="0">0</span></div>
+                    <div class="value">
+                        <span class="sum" data-ls-bind="{{usage.storage.total|humanFileSize}}" data-default="0">0</span>
+                        <span data-ls-bind="{{usage.storage.total|humanFileUnit}}" class="text-size-small unit"></span>
+                    </div>
                     <div class="margin-top-small"><b class="text-size-small unit">Storage</b></div>
                 </div>
                 <div class="col span-3">
diff --git a/app/views/console/storage/index.phtml b/app/views/console/storage/index.phtml
index bd39699592..6b03814ae2 100644
--- a/app/views/console/storage/index.phtml
+++ b/app/views/console/storage/index.phtml
@@ -204,6 +204,7 @@ $fileLimitHuman = $this->getParam('fileLimitHuman', 0);
                                     </td>
                                     <td data-title="Size: ">
                                         <span class="text-fade text-size-small" data-ls-bind="{{file.sizeOriginal|humanFileSize}}"></span>
+                                        <span class="text-fade text-size-small" data-ls-bind="{{file.sizeOriginal|humanFileUnit}}"></span>
                                     </td>
                                     <td data-title="Created: ">
                                         <span class="text-fade text-size-small" data-ls-bind="{{file.dateCreated|dateText}}"></span>
diff --git a/public/dist/scripts/app-all.js b/public/dist/scripts/app-all.js
index 6e2367f10a..e53871531e 100644
--- a/public/dist/scripts/app-all.js
+++ b/public/dist/scripts/app-all.js
@@ -2071,7 +2071,7 @@ container.path(paths[i],value);}});}
 return;}
 if(element.value!==value){element.value=value;element.dispatchEvent(new Event('change'));}
 if(bind){element.addEventListener('input',sync);element.addEventListener('change',sync);}}
-else{if(element.innerHTML!=value){element.innerHTML=value;}}};let sync=(()=>{return()=>{if(debug){console.info('debug-ls-bind','sync-path',paths);console.info('debug-ls-bind','sync-syntax',syntax);console.info('debug-ls-bind','sync-syntax-parsed',parsedSyntax);console.info('debug-ls-bind','sync-value',element.value);}
+else{if(element.textContent!=value){element.textContent=value;}}};let sync=(()=>{return()=>{if(debug){console.info('debug-ls-bind','sync-path',paths);console.info('debug-ls-bind','sync-syntax',syntax);console.info('debug-ls-bind','sync-syntax-parsed',parsedSyntax);console.info('debug-ls-bind','sync-value',element.value);}
 for(let i=0;i<paths.length;i++){if('{{'+paths[i]+'}}'!==parsedSyntax){if(debug){console.info('debug-ls-bind','sync-skipped-path',paths[i]);console.info('debug-ls-bind','sync-skipped-syntax',syntax);console.info('debug-ls-bind','sync-skipped-syntax-parsed',parsedSyntax);}
 continue;}
 if(debug){console.info('debug-ls-bind','sync-loop-path',paths[i]);console.info('debug-ls-bind','sync-loop-syntax',parsedSyntax);}
@@ -2250,9 +2250,10 @@ return value+" "+unit+" "+direction;}).add("ms2hum",function($value){let temp=$v
 (minutes?minutes+"m ":"")+
 Number.parseFloat(seconds).toFixed(0)+"s");}
 return"< 1s";}).add("seconds2hum",function($value){var seconds=($value).toFixed(3);var minutes=($value/(60)).toFixed(1);var hours=($value/(60*60)).toFixed(1);var days=($value/(60*60*24)).toFixed(1);if(seconds<60){return seconds+"s";}else if(minutes<60){return minutes+"m";}else if(hours<24){return hours+"h";}else{return days+"d"}}).add("markdown",function($value,markdown){return markdown.render($value);}).add("pageCurrent",function($value,env){return Math.ceil(parseInt($value||0)/env.PAGING_LIMIT)+1;}).add("pageTotal",function($value,env){let total=Math.ceil(parseInt($value||0)/env.PAGING_LIMIT);return total?total:1;}).add("humanFileSize",function($value){if(!$value){return 0;}
-let thresh=1000;if(Math.abs($value)<thresh){return $value+" B";}
-let units=["kB","MB","GB","TB","PB","EB","ZB","YB"];let u=-1;do{$value/=thresh;++u;}while(Math.abs($value)>=thresh&&u<units.length-1);return($value.toFixed(1)+'<span class="text-size-small unit">'+
-units[u]+"</span>");}).add("statsTotal",function($value){if(!$value){return 0;}
+let thresh=1000;if(Math.abs($value)<thresh){return $value;}
+let units=["kB","MB","GB","TB","PB","EB","ZB","YB"];let u=-1;do{$value/=thresh;++u;}while(Math.abs($value)>=thresh&&u<units.length-1);return $value.toFixed(1);}).add("humanFileUnit",function($value){if(!$value){return'';}
+let thresh=1000;if(Math.abs($value)<thresh){return'B';}
+let units=["kB","MB","GB","TB","PB","EB","ZB","YB"];let u=-1;do{$value/=thresh;++u;}while(Math.abs($value)>=thresh&&u<units.length-1);return units[u];}).add("statsTotal",function($value){if(!$value){return 0;}
 $value=abbreviate($value,0,false,false);return $value==="0"?"N/A":$value;}).add("isEmpty",function($value){return(!!$value);}).add("isEmptyObject",function($value){return((Object.keys($value).length===0&&$value.constructor===Object)||$value.length===0)}).add("activeDomainsCount",function($value){let result=[];if(Array.isArray($value)){result=$value.filter(function(node){return(node.verification&&node.certificateId);});}
 return result.length;}).add("documentAction",function(container){let collection=container.get('project-collection');let document=container.get('project-document');if(collection&&document&&!document.$id){return'database.createDocument';}
 return'database.updateDocument';}).add("documentSuccess",function(container){let document=container.get('project-document');if(document&&!document.$id){return',redirect';}
diff --git a/public/dist/scripts/app.js b/public/dist/scripts/app.js
index ca8bf3054d..73d1133feb 100644
--- a/public/dist/scripts/app.js
+++ b/public/dist/scripts/app.js
@@ -116,7 +116,7 @@ container.path(paths[i],value);}});}
 return;}
 if(element.value!==value){element.value=value;element.dispatchEvent(new Event('change'));}
 if(bind){element.addEventListener('input',sync);element.addEventListener('change',sync);}}
-else{if(element.innerHTML!=value){element.innerHTML=value;}}};let sync=(()=>{return()=>{if(debug){console.info('debug-ls-bind','sync-path',paths);console.info('debug-ls-bind','sync-syntax',syntax);console.info('debug-ls-bind','sync-syntax-parsed',parsedSyntax);console.info('debug-ls-bind','sync-value',element.value);}
+else{if(element.textContent!=value){element.textContent=value;}}};let sync=(()=>{return()=>{if(debug){console.info('debug-ls-bind','sync-path',paths);console.info('debug-ls-bind','sync-syntax',syntax);console.info('debug-ls-bind','sync-syntax-parsed',parsedSyntax);console.info('debug-ls-bind','sync-value',element.value);}
 for(let i=0;i<paths.length;i++){if('{{'+paths[i]+'}}'!==parsedSyntax){if(debug){console.info('debug-ls-bind','sync-skipped-path',paths[i]);console.info('debug-ls-bind','sync-skipped-syntax',syntax);console.info('debug-ls-bind','sync-skipped-syntax-parsed',parsedSyntax);}
 continue;}
 if(debug){console.info('debug-ls-bind','sync-loop-path',paths[i]);console.info('debug-ls-bind','sync-loop-syntax',parsedSyntax);}
@@ -295,9 +295,10 @@ return value+" "+unit+" "+direction;}).add("ms2hum",function($value){let temp=$v
 (minutes?minutes+"m ":"")+
 Number.parseFloat(seconds).toFixed(0)+"s");}
 return"< 1s";}).add("seconds2hum",function($value){var seconds=($value).toFixed(3);var minutes=($value/(60)).toFixed(1);var hours=($value/(60*60)).toFixed(1);var days=($value/(60*60*24)).toFixed(1);if(seconds<60){return seconds+"s";}else if(minutes<60){return minutes+"m";}else if(hours<24){return hours+"h";}else{return days+"d"}}).add("markdown",function($value,markdown){return markdown.render($value);}).add("pageCurrent",function($value,env){return Math.ceil(parseInt($value||0)/env.PAGING_LIMIT)+1;}).add("pageTotal",function($value,env){let total=Math.ceil(parseInt($value||0)/env.PAGING_LIMIT);return total?total:1;}).add("humanFileSize",function($value){if(!$value){return 0;}
-let thresh=1000;if(Math.abs($value)<thresh){return $value+" B";}
-let units=["kB","MB","GB","TB","PB","EB","ZB","YB"];let u=-1;do{$value/=thresh;++u;}while(Math.abs($value)>=thresh&&u<units.length-1);return($value.toFixed(1)+'<span class="text-size-small unit">'+
-units[u]+"</span>");}).add("statsTotal",function($value){if(!$value){return 0;}
+let thresh=1000;if(Math.abs($value)<thresh){return $value;}
+let units=["kB","MB","GB","TB","PB","EB","ZB","YB"];let u=-1;do{$value/=thresh;++u;}while(Math.abs($value)>=thresh&&u<units.length-1);return $value.toFixed(1);}).add("humanFileUnit",function($value){if(!$value){return'';}
+let thresh=1000;if(Math.abs($value)<thresh){return'B';}
+let units=["kB","MB","GB","TB","PB","EB","ZB","YB"];let u=-1;do{$value/=thresh;++u;}while(Math.abs($value)>=thresh&&u<units.length-1);return units[u];}).add("statsTotal",function($value){if(!$value){return 0;}
 $value=abbreviate($value,0,false,false);return $value==="0"?"N/A":$value;}).add("isEmpty",function($value){return(!!$value);}).add("isEmptyObject",function($value){return((Object.keys($value).length===0&&$value.constructor===Object)||$value.length===0)}).add("activeDomainsCount",function($value){let result=[];if(Array.isArray($value)){result=$value.filter(function(node){return(node.verification&&node.certificateId);});}
 return result.length;}).add("documentAction",function(container){let collection=container.get('project-collection');let document=container.get('project-document');if(collection&&document&&!document.$id){return'database.createDocument';}
 return'database.updateDocument';}).add("documentSuccess",function(container){let document=container.get('project-document');if(document&&!document.$id){return',redirect';}
diff --git a/public/scripts/dependencies/litespeed.js b/public/scripts/dependencies/litespeed.js
index 10f4bf1a16..0a083a6c4d 100644
--- a/public/scripts/dependencies/litespeed.js
+++ b/public/scripts/dependencies/litespeed.js
@@ -116,7 +116,7 @@ container.path(paths[i],value);}});}
 return;}
 if(element.value!==value){element.value=value;element.dispatchEvent(new Event('change'));}
 if(bind){element.addEventListener('input',sync);element.addEventListener('change',sync);}}
-else{if(element.innerHTML!=value){element.innerHTML=value;}}};let sync=(()=>{return()=>{if(debug){console.info('debug-ls-bind','sync-path',paths);console.info('debug-ls-bind','sync-syntax',syntax);console.info('debug-ls-bind','sync-syntax-parsed',parsedSyntax);console.info('debug-ls-bind','sync-value',element.value);}
+else{if(element.textContent!=value){element.textContent=value;}}};let sync=(()=>{return()=>{if(debug){console.info('debug-ls-bind','sync-path',paths);console.info('debug-ls-bind','sync-syntax',syntax);console.info('debug-ls-bind','sync-syntax-parsed',parsedSyntax);console.info('debug-ls-bind','sync-value',element.value);}
 for(let i=0;i<paths.length;i++){if('{{'+paths[i]+'}}'!==parsedSyntax){if(debug){console.info('debug-ls-bind','sync-skipped-path',paths[i]);console.info('debug-ls-bind','sync-skipped-syntax',syntax);console.info('debug-ls-bind','sync-skipped-syntax-parsed',parsedSyntax);}
 continue;}
 if(debug){console.info('debug-ls-bind','sync-loop-path',paths[i]);console.info('debug-ls-bind','sync-loop-syntax',parsedSyntax);}
diff --git a/public/scripts/filters.js b/public/scripts/filters.js
index 9f5308d557..e1e6e1f6ea 100644
--- a/public/scripts/filters.js
+++ b/public/scripts/filters.js
@@ -133,7 +133,7 @@ window.ls.filter
     let thresh = 1000;
 
     if (Math.abs($value) < thresh) {
-      return $value + " B";
+      return $value;
     }
 
     let units = ["kB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"];
@@ -144,12 +144,28 @@ window.ls.filter
       ++u;
     } while (Math.abs($value) >= thresh && u < units.length - 1);
 
-    return (
-      $value.toFixed(1) +
-      '<span class="text-size-small unit">' +
-      units[u] +
-      "</span>"
-    );
+    return $value.toFixed(1);
+  })
+  .add("humanFileUnit", function($value) {
+    if (!$value) {
+      return '';
+    }
+
+    let thresh = 1000;
+
+    if (Math.abs($value) < thresh) {
+      return 'B';
+    }
+
+    let units = ["kB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"];
+    let u = -1;
+
+    do {
+      $value /= thresh;
+      ++u;
+    } while (Math.abs($value) >= thresh && u < units.length - 1);
+
+    return units[u];
   })
   .add("statsTotal", function($value) {
     if (!$value) {

From 557144b0971ab3c0778e61c39a93d04db76c2ee3 Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Tue, 23 Feb 2021 18:20:02 +0200
Subject: [PATCH 2/2] Updated changelog

---
 CHANGES.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 31da3f55fe..63e9f6cdef 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -26,6 +26,10 @@
 
 - Updated missing storage env vars
 
+## Security
+
+- Fixed an XSS vulnerability in the Appwrite console
+
 # Version 0.7.0
 
 ## Features