mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-28 14:04:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request from GHSA-gjg7-4j2h-94fq

Browse source 
Fix XSS in Open Graph & User metadata
This commit is contained in:
David Mehren 2021-05-11 21:13:25 +02:00 committed by GitHub
commit 01dad5821e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/models/user.js
View file

@ -2,6 +2,7 @@
// external modules // external modules
const Sequelize = require('sequelize') const Sequelize = require('sequelize')
const scrypt = require('scrypt-kdf') const scrypt = require('scrypt-kdf')
const filterXSS = require('xss')
// core // core
const logger = require('../logger') const logger = require('../logger')
@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
} }
if (profile) { if (profile) {
profile = { profile = {
name: profile.displayName || profile.username, name: filterXSS(profile.displayName || profile.username),
photo: User.parsePhotoByProfile(profile), photo: User.parsePhotoByProfile(profile),
biggerphoto: User.parsePhotoByProfile(profile, true) biggerphoto: User.parsePhotoByProfile(profile, true)
} }
@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
photo = generateAvatarURL(profile.username) photo = generateAvatarURL(profile.username)
break break
} }
return photo return filterXSS(photo)
} }
User.parseProfileByEmail = function (email) { User.parseProfileByEmail = function (email) {
return { return {

2
public/views/hedgedoc/head.ejs
View file

@ -7,7 +7,7 @@
<%- include('../includes/favicon') %> <%- include('../includes/favicon') %>
<% for (var og in opengraph) { %> <% for (var og in opengraph) { %>
<% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %> <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
<meta property="og:<%- og %>" content="<%- opengraph[og] %>"> <meta property="og:<%= og %>" content="<%= opengraph[og] %>">
<% }} if (!opengraph.hasOwnProperty('image')) { %> <% }} if (!opengraph.hasOwnProperty('image')) { %>
<meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png"> <meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png">
<meta property="og:image:alt" content="HedgeDoc logo"> <meta property="og:image:alt" content="HedgeDoc logo">