diff options
author | David Mehren | 2021-05-09 15:35:06 +0200 |
---|---|---|
committer | David Mehren | 2021-05-09 19:28:44 +0200 |
commit | f552b14e11761a73237b3b3834827dde151b8b28 (patch) | |
tree | 6cdaafc4fd26b6e3530468ea5e5a0657b74cbeb2 /lib | |
parent | 4a0216096a6aa1ebba9d8b0ada067c73ffa1513f (diff) |
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.
This commit sanitizes the username and photo URL by passing them
through the `xss` library.
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to '')
-rw-r--r-- | lib/models/user.js | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/models/user.js b/lib/models/user.js index 383be1a7..d7953003 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -2,6 +2,7 @@ // external modules const Sequelize = require('sequelize') const scrypt = require('scrypt-kdf') +const filterXSS = require('xss') // core const logger = require('../logger') @@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) { } if (profile) { profile = { - name: profile.displayName || profile.username, + name: filterXSS(profile.displayName || profile.username), photo: User.parsePhotoByProfile(profile), biggerphoto: User.parsePhotoByProfile(profile, true) } @@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) { photo = generateAvatarURL(profile.username) break } - return photo + return filterXSS(photo) } User.parseProfileByEmail = function (email) { return { |