hedgedoc

mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-01-09 07:52:01 +00:00

History

David Mehren 4a0216096a Escape custom Open Graph tags HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>		2021-05-09 19:21:27 +02:00
..
banner
css
docs	Fix typo in release notes	2021-05-06 22:37:47 +02:00
fonts
icons
js	Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLines	2021-05-06 21:16:22 +02:00
uploads
vendor
views	Escape custom Open Graph tags	2021-05-09 19:21:27 +02:00
.eslintrc.js
default.md
screenshot.png