mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-12 22:26:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix possible XSS in yaml-metadata and turn using ejs escape syntax than external lib [Security Issue]

Browse source
This commit is contained in:
Wu Cheng-Han 2016-11-26 22:55:31 +08:00
parent b43e63dd21
commit 9d4ede4cff
8 changed files with 15 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

7
lib/response.js
View file

@ -186,7 +186,6 @@ function showPublishNote(req, res, next) {
if (!meta) meta = {};
var createtime = note.createdAt;
var updatetime = note.lastchangeAt;
var text = S(body).escapeHTML().s;
var title = models.Note.decodeTitle(note.title);
title = models.Note.generateWebTitle(meta.title || title);
var origin = config.serverurl;
@ -197,7 +196,7 @@ function showPublishNote(req, res, next) {
createtime: createtime,
updatetime: updatetime,
url: origin,
body: text,
body: body,
useCDN: config.usecdn,
owner: note.owner ? note.owner.id : null,
ownerprofile: note.owner ? models.User.parseProfile(note.owner.profile) : null,
@ -258,7 +257,6 @@ function actionInfo(req, res, note) {
if (!meta) meta = {};
var createtime = note.createdAt;
var updatetime = note.lastchangeAt;
var text = S(body).escapeHTML().s;
var title = models.Note.decodeTitle(note.title);
var data = {
title: meta.title || title,
@ -572,7 +570,6 @@ function showPublishSlide(req, res, next) {
if (!meta) meta = {};
var createtime = note.createdAt;
var updatetime = note.lastchangeAt;
var text = S(body).escapeHTML().s;
var title = models.Note.decodeTitle(note.title);
title = models.Note.generateWebTitle(meta.title || title);
var origin = config.serverurl;
@ -583,7 +580,7 @@ function showPublishSlide(req, res, next) {
createtime: createtime,
updatetime: updatetime,
url: origin,
body: text,
body: body,
meta: JSON.stringify(obj.meta || {}),
useCDN: config.usecdn,
owner: note.owner ? note.owner.id : null,