diff options
author | David Mehren | 2021-05-11 21:13:25 +0200 |
---|---|---|
committer | GitHub | 2021-05-11 21:13:25 +0200 |
commit | 01dad5821ee28377ebe640c6c72c3e0bb0d51ea7 (patch) | |
tree | e1dc63aba3546b3bbc402c2e911626d0ade56b46 | |
parent | 4cc9b3abe5f4ee55764fbdb6602f8133e4d73e53 (diff) | |
parent | f552b14e11761a73237b3b3834827dde151b8b28 (diff) |
Merge pull request from GHSA-gjg7-4j2h-94fq
Fix XSS in Open Graph & User metadata
-rw-r--r-- | lib/models/user.js | 5 | ||||
-rw-r--r-- | public/views/hedgedoc/head.ejs | 2 |
2 files changed, 4 insertions, 3 deletions
diff --git a/lib/models/user.js b/lib/models/user.js index 383be1a7..d7953003 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -2,6 +2,7 @@ // external modules const Sequelize = require('sequelize') const scrypt = require('scrypt-kdf') +const filterXSS = require('xss') // core const logger = require('../logger') @@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) { } if (profile) { profile = { - name: profile.displayName || profile.username, + name: filterXSS(profile.displayName || profile.username), photo: User.parsePhotoByProfile(profile), biggerphoto: User.parsePhotoByProfile(profile, true) } @@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) { photo = generateAvatarURL(profile.username) break } - return photo + return filterXSS(photo) } User.parseProfileByEmail = function (email) { return { diff --git a/public/views/hedgedoc/head.ejs b/public/views/hedgedoc/head.ejs index 44668795..419d5dcc 100644 --- a/public/views/hedgedoc/head.ejs +++ b/public/views/hedgedoc/head.ejs @@ -7,7 +7,7 @@ <%- include('../includes/favicon') %> <% for (var og in opengraph) { %> <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %> -<meta property="og:<%- og %>" content="<%- opengraph[og] %>"> +<meta property="og:<%= og %>" content="<%= opengraph[og] %>"> <% }} if (!opengraph.hasOwnProperty('image')) { %> <meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png"> <meta property="og:image:alt" content="HedgeDoc logo"> |