diff options
author | David Mehren | 2021-05-09 15:25:59 +0200 |
---|---|---|
committer | David Mehren | 2021-05-09 19:21:27 +0200 |
commit | 4a0216096a6aa1ebba9d8b0ada067c73ffa1513f (patch) | |
tree | d35701d841db5c7fa49a1c90e9614d5b5a0d768d /public/views | |
parent | 87c83dcba5ebab9078a7e625023d7fe37889adb8 (diff) |
Escape custom Open Graph tags
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.
These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.
This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.
See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to 'public/views')
-rw-r--r-- | public/views/hedgedoc/head.ejs | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/public/views/hedgedoc/head.ejs b/public/views/hedgedoc/head.ejs index 44668795..419d5dcc 100644 --- a/public/views/hedgedoc/head.ejs +++ b/public/views/hedgedoc/head.ejs @@ -7,7 +7,7 @@ <%- include('../includes/favicon') %> <% for (var og in opengraph) { %> <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %> -<meta property="og:<%- og %>" content="<%- opengraph[og] %>"> +<meta property="og:<%= og %>" content="<%= opengraph[og] %>"> <% }} if (!opengraph.hasOwnProperty('image')) { %> <meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png"> <meta property="og:image:alt" content="HedgeDoc logo"> |