mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-01-08 15:01:05 +00:00
4a0216096a
HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de> |
||
|---|---|---|
| .. | ||
| hedgedoc | ||
| includes | ||
| index | ||
| shared | ||
| error.ejs | ||
| hedgedoc.ejs | ||
| html.hbs | ||
| index.ejs | ||
| pretty.ejs | ||
| slide.ejs | ||