github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-22 09:46:30 -05:00
Code Issues Projects Releases Packages Wiki Activity
hedgedoc/public
History
David Mehren 4a0216096a
Escape custom Open Graph tags 
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:21:27 +02:00
..
banner Replace CodiMD with HedgeDoc 2020-11-14 21:18:36 +01:00
css Improved CSS in night-mode 2021-01-28 12:30:47 +01:00
docs Fix typo in release notes 2021-05-06 22:37:47 +02:00
fonts Remove uesless executable permission for static files 2016-11-14 21:13:02 +08:00
icons apply review suggestions 2020-11-15 20:12:39 +01:00
js Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLines 2021-05-06 21:16:22 +02:00
uploads upload image to public/uploads 2016-11-14 16:45:57 +08:00
vendor Fix toolbar day mode 2019-05-12 20:15:46 +02:00
views Escape custom Open Graph tags 2021-05-09 19:21:27 +02:00
.eslintrc.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
default.md Removed unused note and set empty on default note, updated features note 2016-01-17 09:57:25 -06:00
screenshot.png Updated screenshot 2020-11-17 11:13:58 +01:00