hedgedoc/lib
David Mehren f552b14e11
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:28:44 +02:00
..
config Automatically enable protocolUseSSL when useSSL is set 2021-05-06 21:19:14 +02:00
migrations Add missing catch 2020-12-02 19:39:06 +01:00
models Sanitize username and photo URL 2021-05-09 19:28:44 +02:00
ot Fix logging in ot module 2018-11-13 23:30:13 +01:00
web ImageRouterImgur: Replace imgur library with note-fetch request 2021-04-22 21:23:27 +02:00
workers Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
csp.js Fix upgradeInsecureRequests CSP directive 2021-05-04 11:10:53 +02:00
errors.js Check for existing notes on POST and dont override them 2021-03-29 23:00:34 +02:00
history.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
letter-avatars.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
logger.js Fix eslint warnings 2019-05-31 00:30:29 +02:00
prometheus.js Add custom prometheus metrics 2021-04-25 20:06:56 +02:00
realtime.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00
response.js Replace request library with node-fetch 2021-03-12 22:27:49 +01:00
utils.js Linter: Fix all lint errors 2021-02-15 12:15:14 +01:00