summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Mehren2021-05-09 15:35:06 +0200
committerDavid Mehren2021-05-09 19:28:44 +0200
commitf552b14e11761a73237b3b3834827dde151b8b28 (patch)
tree6cdaafc4fd26b6e3530468ea5e5a0657b74cbeb2
parent4a0216096a6aa1ebba9d8b0ada067c73ffa1513f (diff)
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
-rw-r--r--lib/models/user.js5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/models/user.js b/lib/models/user.js
index 383be1a7..d7953003 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -2,6 +2,7 @@
// external modules
const Sequelize = require('sequelize')
const scrypt = require('scrypt-kdf')
+const filterXSS = require('xss')
// core
const logger = require('../logger')
@@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
}
if (profile) {
profile = {
- name: profile.displayName || profile.username,
+ name: filterXSS(profile.displayName || profile.username),
photo: User.parsePhotoByProfile(profile),
biggerphoto: User.parsePhotoByProfile(profile, true)
}
@@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
photo = generateAvatarURL(profile.username)
break
}
- return photo
+ return filterXSS(photo)
}
User.parseProfileByEmail = function (email) {
return {