github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-01-26 18:12:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize username and photo URL

Browse source 
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-05-09 15:35:06 +02:00
parent 4a0216096a
commit f552b14e11
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/models/user.js
View file

@ -2,6 +2,7 @@
// external modules
const Sequelize = require('sequelize')
const scrypt = require('scrypt-kdf')
const filterXSS = require('xss')
// core
const logger = require('../logger')
@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
}
if (profile) {
profile = {
name: profile.displayName || profile.username,
name: filterXSS(profile.displayName || profile.username),
photo: User.parsePhotoByProfile(profile),
biggerphoto: User.parsePhotoByProfile(profile, true)
}
@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
photo = generateAvatarURL(profile.username)
break
}
return photo
return filterXSS(photo)
}
User.parseProfileByEmail = function (email) {
return {