Escape custom Open Graph tags

HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
hedgedoc · May 9, 2021 · 4a02160 · 4a02160
1 parent 87c83dc
commit 4a02160
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/public/views/hedgedoc/head.ejs b/public/views/hedgedoc/head.ejs
@@ -7,7 +7,7 @@
 <%- include('../includes/favicon') %>
 <% for (var og in opengraph) { %>
 <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
-<meta property="og:<%- og %>" content="<%- opengraph[og] %>">
+<meta property="og:<%= og %>" content="<%= opengraph[og] %>">
 <% }} if (!opengraph.hasOwnProperty('image')) { %>
 <meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png">
 <meta property="og:image:alt" content="HedgeDoc logo">