Merge pull request #3765 from overleaf/jpa-xss-6

[views] mitigate Angular XSS in subscription dashboard GitOrigin-RevId: 4ac0c431d520957aabd53436ae29a30c2aef3870
2024-11-21 20:47:08 -05:00 · 2021-03-17 12:46:21 +01:00 · 2021-03-17 12:46:21 +01:00 · 58841ecbe9
commit 58841ecbe9
parent 001f7f0cc2
4 changed files with 6 additions and 6 deletions
--- a/services/web/app/views/subscriptions/dashboard/_institution_memberships.pug
+++ b/services/web/app/views/subscriptions/dashboard/_institution_memberships.pug
@ -8,6 +8,6 @@ each affiliation in confirmedMemberAffiliations
 			|
 			| #{settings.appName} account as a confirmed member of
 			|
-			strong= affiliation.institution.name
+			strong(ng-non-bindable)= affiliation.institution.name
 		hr

--- a/services/web/app/views/subscriptions/dashboard/_managed_institutions.pug
+++ b/services/web/app/views/subscriptions/dashboard/_managed_institutions.pug
@ -5,7 +5,7 @@ each institution in managedInstitutions
 	p
 		| You are a manager of
 		|
-		strong= institution.name
+		strong(ng-non-bindable)= institution.name
 	p
 		a.btn.btn-primary(href="/metrics/institutions/" + institution.v1Id)
 			i.fa.fa-fw.fa-line-chart
--- a/services/web/app/views/subscriptions/dashboard/_managed_publishers.pug
+++ b/services/web/app/views/subscriptions/dashboard/_managed_publishers.pug
@ -2,7 +2,7 @@ each publisher in managedPublishers
 	p
 		| You are a manager of
 		|
-		strong= publisher.name
+		strong(ng-non-bindable)= publisher.name
 	p
 		a(href="/publishers/" + publisher.slug + "/hub")
 			i.fa.fa-fw.fa-user-circle
--- a/services/web/app/views/subscriptions/dashboard/_team_name_mixin.pug
+++ b/services/web/app/views/subscriptions/dashboard/_team_name_mixin.pug
@ -1,6 +1,6 @@
 mixin teamName(subscription)
 	- if (subscription.teamName && subscription.teamName != '')
-		strong= subscription.teamName
+		strong(ng-non-bindable)= subscription.teamName
 	- else if (subscription.admin_id._id == user._id)
 		| a group account
 	- else