Fix XSS vulnerability in error page

krateng · Dec 17, 2023 · febaff9 · febaff9
1 parent 12064f6
commit febaff9
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 4 deletions.
diff --git a/dev/releases/3.2.yml b/dev/releases/3.2.yml
@@ -33,6 +33,7 @@ minor_release_name: "Nicole"
     - "[Technical] Upgraded all third party modules to use requests module and send User Agent"
 3.2.2:
     notes:
+    - "[Security] Fixed XSS vulnerability in error page (Disclosed by https://github.com/NULLYUKI)"
     - "[Architecture] Reworked the default directory selection"
     - "[Feature] Added option to show scrobbles on tile charts"
     - "[Bugfix] Fixed Last.fm authentication"
diff --git a/maloja/__pkginfo__.py b/maloja/__pkginfo__.py
@@ -4,7 +4,7 @@
 # you know what f*ck it
 # this is hardcoded for now because of that damn project / package name discrepancy
 # i'll fix it one day
-VERSION = "3.2.1"
+VERSION = "3.2.2"
 HOMEPAGE = "https://github.com/krateng/maloja"
 
 

diff --git a/maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv b/maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv
@@ -217,6 +217,8 @@ countas			Pristin V		Pristin
 
 # CLC
 countas			Sorn				CLC
+countas			Yeeun				CLC
+countas			Seungyeon			CLC
 
 # Popular Remixes
 artistintitle	Areia Remix				Areia

diff --git a/maloja/web/jinja/error.jinja b/maloja/web/jinja/error.jinja
@@ -8,8 +8,8 @@
 				<div style="background-image:url('/favicon.png')"></div>
 			</td>
 			<td class="text">
-				<h1>{{ error_desc }}</h1><br/>
-				{{ error_full_desc }}
+				<h1>{{ error_desc | e }}</h1><br/>
+				{{ error_full_desc | e }}
 
 			</td>
 		</tr>

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "malojaserver"
-version = "3.2.1"
+version = "3.2.2"
 description = "Self-hosted music scrobble database"
 readme = "./README.md"
 requires-python = ">=3.10"