Merge pull request #3765 from overleaf/jpa-xss-6

[views] mitigate Angular XSS in subscription dashboard GitOrigin-RevId: 4ac0c431d520957aabd53436ae29a30c2aef3870
2024-11-21 20:47:08 -05:00 · 2021-03-17 12:46:21 +01:00 · 2021-03-17 12:46:21 +01:00 · 58841ecbe9
commit 58841ecbe9
parent 001f7f0cc2
4 changed files with 6 additions and 6 deletions
--- a/services/web/app/views/subscriptions/dashboard/_institution_memberships.pug
+++ b/services/web/app/views/subscriptions/dashboard/_institution_memberships.pug
@ -8,6 +8,6 @@ each affiliation in confirmedMemberAffiliations
 			|
 			| #{settings.appName} account as a confirmed member of
 			|
-			strong= affiliation.institution.name
+			strong(ng-non-bindable)= affiliation.institution.name
 		hr

--- a/services/web/app/views/subscriptions/dashboard/_managed_institutions.pug
+++ b/services/web/app/views/subscriptions/dashboard/_managed_institutions.pug
@ -5,7 +5,7 @@ each institution in managedInstitutions
 	p
 		| You are a manager of
 		|
-		strong= institution.name
+		strong(ng-non-bindable)= institution.name
 	p
 		a.btn.btn-primary(href="/metrics/institutions/" + institution.v1Id)
 			i.fa.fa-fw.fa-line-chart
@ -23,7 +23,7 @@ each institution in managedInstitutions
 			| Manage institution managers
 	div(ng-controller="MetricsEmailController", ng-cloak)
 		p
-			span Monthly metrics emails: 
+			span Monthly metrics emails:
 				a(href ng-bind-html="institutionEmailSubscription('"+institution.v1Id+"')" ng-show="!subscriptionChanging" ng-click="changeInstitutionalEmailSubscription('"+institution.v1Id+"')")
 				span(ng-show="subscriptionChanging")
 					i.fa.fa-spin.fa-refresh(aria-hidden="true")
--- a/services/web/app/views/subscriptions/dashboard/_managed_publishers.pug
+++ b/services/web/app/views/subscriptions/dashboard/_managed_publishers.pug
@ -2,7 +2,7 @@ each publisher in managedPublishers
 	p
 		| You are a manager of
 		|
-		strong= publisher.name
+		strong(ng-non-bindable)= publisher.name
 	p
 		a(href="/publishers/" + publisher.slug + "/hub")
 			i.fa.fa-fw.fa-user-circle
--- a/services/web/app/views/subscriptions/dashboard/_team_name_mixin.pug
+++ b/services/web/app/views/subscriptions/dashboard/_team_name_mixin.pug
@ -1,9 +1,9 @@
 mixin teamName(subscription)
 	- if (subscription.teamName && subscription.teamName != '')
-		strong= subscription.teamName
+		strong(ng-non-bindable)= subscription.teamName
 	- else if (subscription.admin_id._id == user._id)
 		| a group account
 	- else
 		| the group account owned by
 		|
-		strong= subscription.admin_id.email
+		strong= subscription.admin_id.email