Sanitize display of system messages.

When showing system-messages, use default Angular sanitizer, also, on the admin panel itself, show the verbatim text of the message. This solves a mild Stored-XSS vulnerability whereby a user could put `<script>` tags in a message. We don't want that, but we do want to be able to use basic html tags.
2025-04-19 18:15:17 +00:00 · 2018-08-22 10:15:50 +01:00 · 2018-08-22 10:15:50 +01:00 · 7f7b10aa09
commit 7f7b10aa09
parent eeadd1e9bb
2 changed files with 4 additions and 4 deletions
--- a/services/web/app/views/admin/index.pug
+++ b/services/web/app/views/admin/index.pug
@ -10,8 +10,8 @@ block content
 							h1 Admin Panel
 						tabset(ng-cloak)
 							tab(heading="System Messages")
-								each message in systemMessages 
-									.alert.alert-info.row-spaced !{message.content}
+								each message in systemMessages
+									.alert.alert-info.row-spaced #{message.content}
 								hr
 								form(enctype='multipart/form-data', method='post', action='/admin/messages')
 									input(name="_csrf", type="hidden", value=csrfToken)
--- a/services/web/public/coffee/main/system-messages.coffee
+++ b/services/web/public/coffee/main/system-messages.coffee
@ -6,8 +6,8 @@ define [
 		
 	App.controller "SystemMessageController", ($scope, $sce) ->
 		$scope.hidden = $.localStorage("systemMessage.hide.#{$scope.message._id}")
-		$scope.htmlContent = $sce.trustAsHtml $scope.message.content
+		$scope.htmlContent = $scope.message.content
 		
 		$scope.hide = () ->
 			$scope.hidden = true
-			$.localStorage("systemMessage.hide.#{$scope.message._id}", true)
+			$.localStorage("systemMessage.hide.#{$scope.message._id}", true)