summaryrefslogtreecommitdiff
path: root/lib/models
diff options
context:
space:
mode:
authorDavid Mehren2021-05-11 21:13:25 +0200
committerGitHub2021-05-11 21:13:25 +0200
commit01dad5821ee28377ebe640c6c72c3e0bb0d51ea7 (patch)
treee1dc63aba3546b3bbc402c2e911626d0ade56b46 /lib/models
parent4cc9b3abe5f4ee55764fbdb6602f8133e4d73e53 (diff)
parentf552b14e11761a73237b3b3834827dde151b8b28 (diff)
Merge pull request from GHSA-gjg7-4j2h-94fq
Fix XSS in Open Graph & User metadata
Diffstat (limited to '')
-rw-r--r--lib/models/user.js5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/models/user.js b/lib/models/user.js
index 383be1a7..d7953003 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -2,6 +2,7 @@
// external modules
const Sequelize = require('sequelize')
const scrypt = require('scrypt-kdf')
+const filterXSS = require('xss')
// core
const logger = require('../logger')
@@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
}
if (profile) {
profile = {
- name: profile.displayName || profile.username,
+ name: filterXSS(profile.displayName || profile.username),
photo: User.parsePhotoByProfile(profile),
biggerphoto: User.parsePhotoByProfile(profile, true)
}
@@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
photo = generateAvatarURL(profile.username)
break
}
- return photo
+ return filterXSS(photo)
}
User.parseProfileByEmail = function (email) {
return {