summaryrefslogtreecommitdiff
path: root/public/banner
diff options
context:
space:
mode:
authorDavid Mehren2021-05-09 15:25:59 +0200
committerDavid Mehren2021-05-09 19:21:27 +0200
commit4a0216096a6aa1ebba9d8b0ada067c73ffa1513f (patch)
treed35701d841db5c7fa49a1c90e9614d5b5a0d768d /public/banner
parent87c83dcba5ebab9078a7e625023d7fe37889adb8 (diff)
Escape custom Open Graph tags
HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to 'public/banner')
0 files changed, 0 insertions, 0 deletions