Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-gjg7-4j2h-94fq
Fix XSS in Open Graph & User metadata
  • Loading branch information
davidmehren committed May 11, 2021
2 parents 4cc9b3a + f552b14 commit 01dad58
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
5 changes: 3 additions & 2 deletions lib/models/user.js
Expand Up @@ -2,6 +2,7 @@
// external modules
const Sequelize = require('sequelize')
const scrypt = require('scrypt-kdf')
const filterXSS = require('xss')

// core
const logger = require('../logger')
Expand Down Expand Up @@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
}
if (profile) {
profile = {
name: profile.displayName || profile.username,
name: filterXSS(profile.displayName || profile.username),
photo: User.parsePhotoByProfile(profile),
biggerphoto: User.parsePhotoByProfile(profile, true)
}
Expand Down Expand Up @@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
photo = generateAvatarURL(profile.username)
break
}
return photo
return filterXSS(photo)
}
User.parseProfileByEmail = function (email) {
return {
Expand Down
2 changes: 1 addition & 1 deletion public/views/hedgedoc/head.ejs
Expand Up @@ -7,7 +7,7 @@
<%- include('../includes/favicon') %>
<% for (var og in opengraph) { %>
<% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
<meta property="og:<%- og %>" content="<%- opengraph[og] %>">
<meta property="og:<%= og %>" content="<%= opengraph[og] %>">
<% }} if (!opengraph.hasOwnProperty('image')) { %>
<meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png">
<meta property="og:image:alt" content="HedgeDoc logo">
Expand Down

0 comments on commit 01dad58

Please sign in to comment.