diff options
author | David Mehren | 2021-05-09 15:35:06 +0200 |
---|---|---|
committer | David Mehren | 2021-05-09 19:28:44 +0200 |
commit | f552b14e11761a73237b3b3834827dde151b8b28 (patch) | |
tree | 6cdaafc4fd26b6e3530468ea5e5a0657b74cbeb2 /lib/migrations/20171009121200-longtext-for-mysql.js | |
parent | 4a0216096a6aa1ebba9d8b0ada067c73ffa1513f (diff) |
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.
This commit sanitizes the username and photo URL by passing them
through the `xss` library.
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to 'lib/migrations/20171009121200-longtext-for-mysql.js')
0 files changed, 0 insertions, 0 deletions