Merge pull request #3768 from overleaf/jpa-xss-10

[views] mitigate Angular XSS on password reset page GitOrigin-RevId: 65f423fcb1a3afff0f396bb8e173d1e1bcff056a
2024-11-21 20:47:08 -05:00 · 2021-03-17 12:46:49 +01:00 · 2021-03-17 12:46:49 +01:00 · 7609b741fa
commit 7609b741fa
parent 8766c23abb
1 changed files with 3 additions and 2 deletions
--- a/services/web/app/views/user/setPassword.pug
+++ b/services/web/app/views/user/setPassword.pug
@ -17,7 +17,7 @@ block content
 						)
 							input(type="hidden", name="_csrf", value=csrfToken)
 							.alert.alert-success(ng-show="passwordResetForm.response.success")
-								| #{translate("password_has_been_reset")}. 
+								| #{translate("password_has_been_reset")}.
 								a(href='/login') #{translate("login_here")}
 							div(ng-show="passwordResetForm.response.error == true")
 								div(ng-switch="passwordResetForm.response.status")
@ -42,11 +42,12 @@ block content
 									autofocus,
 									complex-password
 								)
-								span.small.text-primary(ng-show="passwordResetForm.password.$error.complexPassword", ng-bind-html="complexPasswordErrorMessage") 
+								span.small.text-primary(ng-show="passwordResetForm.password.$error.complexPassword", ng-bind-html="complexPasswordErrorMessage")
 								input(
 									type="hidden",
 									name="passwordResetToken",
 									value=passwordResetToken
+									ng-non-bindable
 								)
 							.actions
 								button.btn.btn-primary(