Merge pull request from GHSA-gjg7-4j2h-94fq

Fix XSS in Open Graph & User metadata
author: David Mehren 2021-05-11 21:13:25 +0200
committer: GitHub 2021-05-11 21:13:25 +0200
commit: 01dad5821ee28377ebe640c6c72c3e0bb0d51ea7 (patch)
tree: e1dc63aba3546b3bbc402c2e911626d0ade56b46 /lib/models/user.js
parent: 4cc9b3abe5f4ee55764fbdb6602f8133e4d73e53 (diff)
parent: f552b14e11761a73237b3b3834827dde151b8b28 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/models/user.js b/lib/models/user.js
index 383be1a7..d7953003 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -2,6 +2,7 @@
 // external modules
 const Sequelize = require('sequelize')
 const scrypt = require('scrypt-kdf')
+const filterXSS = require('xss')
 
 // core
 const logger = require('../logger')
@@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
     }
     if (profile) {
       profile = {
-        name: profile.displayName || profile.username,
+        name: filterXSS(profile.displayName || profile.username),
         photo: User.parsePhotoByProfile(profile),
         biggerphoto: User.parsePhotoByProfile(profile, true)
       }
@@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
         photo = generateAvatarURL(profile.username)
         break
     }
-    return photo
+    return filterXSS(photo)
   }
   User.parseProfileByEmail = function (email) {
     return {
author	David Mehren	2021-05-11 21:13:25 +0200
committer	GitHub	2021-05-11 21:13:25 +0200
commit	01dad5821ee28377ebe640c6c72c3e0bb0d51ea7 (patch)
tree	e1dc63aba3546b3bbc402c2e911626d0ade56b46 /lib/models/user.js
parent	4cc9b3abe5f4ee55764fbdb6602f8133e4d73e53 (diff)
parent	f552b14e11761a73237b3b3834827dde151b8b28 (diff)