Security fix to ReactionBleed in WeKan. It is XSS in feature "Reactio…

…n to comment". Thanks to Alexander Starikov at Jet Infosystems (https://jetinfosystems.com/).
wekan · Apr 17, 2023 · 47ac33d · 47ac33d
1 parent ce35799
commit 47ac33d
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/models/cardCommentReactions.js b/models/cardCommentReactions.js
@@ -1,5 +1,14 @@
 const commentReactionSchema = new SimpleSchema({
-  reactionCodepoint: { type: String, optional: false },
+  reactionCodepoint: {
+    type: String,
+    optional: false,
+    max: 9, // max length of reaction code
+    custom() {
+      if (!this.value.match(/^&#\d{4,6};$/)) { // regex for only valid reactions
+        return "incorrectReactionCode";
+      }
+    },
+  },
   userIds: { type: [String], defaultValue: [] }
 });