hedgedoc/public/views
David Mehren 4a0216096a
Escape custom Open Graph tags
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:21:27 +02:00
..
hedgedoc Escape custom Open Graph tags 2021-05-09 19:21:27 +02:00
includes apply review suggestions 2020-11-15 20:12:39 +01:00
index Extract list of supported languages in separate file 2021-04-26 21:45:31 +02:00
shared apply review suggestions 2020-11-15 20:12:39 +01:00
error.ejs Switch to ejs 3 compliant imports 2021-02-09 20:27:39 +01:00
hedgedoc.ejs Templates: Remove lang and add translation parameter 2021-03-16 10:48:44 +01:00
html.hbs Templates: Remove lang and add translation parameter 2021-03-16 10:48:44 +01:00
index.ejs Templates: Remove lang and add translation parameter 2021-03-16 10:48:44 +01:00
pretty.ejs Templates: Remove lang and add translation parameter 2021-03-16 10:48:44 +01:00
slide.ejs Templates: Remove lang and add translation parameter 2021-03-16 10:48:44 +01:00