mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
Merge pull request #3755 from overleaf/jpa-xss-2
[views] mitigate Angular XSS via email/new_email GitOrigin-RevId: 3d127c283ba9f97c5b0e6c53a9d77f7f597058bb
This commit is contained in:
Jakob Ackermann
Copybot
parent
7609b741fa
commit
f353728bda
5 changed files with 18 additions and 19 deletions
|
|
@ -22,7 +22,6 @@ const UserPagesController = {
|
|||
title: 'register',
|
||||
sharedProjectData,
|
||||
newTemplateData,
|
||||
new_email: req.query.new_email || '',
|
||||
samlBeta: req.session.samlBeta
|
||||
})
|
||||
},
|
||||
|
|
@ -37,8 +36,7 @@ const UserPagesController = {
|
|||
AuthenticationController.setRedirectInSession(req, req.query.redir)
|
||||
}
|
||||
res.render('user/login', {
|
||||
title: 'login',
|
||||
email: req.query.email
|
||||
title: 'login'
|
||||
})
|
||||
},
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ block content
|
|||
placeholder='email@example.com',
|
||||
ng-model="email",
|
||||
ng-model-options="{ updateOn: 'blur' }",
|
||||
ng-init="email = "+JSON.stringify(email),
|
||||
focus="true"
|
||||
)
|
||||
span.small.text-primary(ng-show="loginForm.email.$invalid && loginForm.email.$dirty")
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ block content
|
|||
form(async-form="settings", name="settingsForm", method="POST", action="/user/settings", novalidate)
|
||||
input(type="hidden", name="_csrf", value=csrfToken)
|
||||
if !hasFeature('affiliations')
|
||||
if !externalAuthenticationSystemUsed()
|
||||
if !externalAuthenticationSystemUsed()
|
||||
.form-group
|
||||
label(for='email') #{translate("email")}
|
||||
input.form-control(
|
||||
|
|
@ -32,7 +32,6 @@ block content
|
|||
placeholder="email@example.com"
|
||||
required,
|
||||
ng-model="email",
|
||||
ng-init="email = "+JSON.stringify(user.email),
|
||||
ng-model-options="{ updateOn: 'blur' }"
|
||||
)
|
||||
span.small.text-danger(ng-show="settingsForm.email.$invalid && settingsForm.email.$dirty")
|
||||
|
|
@ -130,7 +129,7 @@ block content
|
|||
required,
|
||||
complex-password
|
||||
)
|
||||
span.small.text-danger(ng-show="changePasswordForm.newPassword1.$error.complexPassword && changePasswordForm.newPassword1.$dirty", ng-bind-html="complexPasswordErrorMessage" aria-live="polite")
|
||||
span.small.text-danger(ng-show="changePasswordForm.newPassword1.$error.complexPassword && changePasswordForm.newPassword1.$dirty", ng-bind-html="complexPasswordErrorMessage" aria-live="polite")
|
||||
.form-group
|
||||
label(for='newPassword2') #{translate("confirm_new_password")}
|
||||
input.form-control(
|
||||
|
|
@ -140,11 +139,11 @@ block content
|
|||
placeholder='*********',
|
||||
ng-model="newPassword2",
|
||||
equals="passwordField"
|
||||
)
|
||||
)
|
||||
span.small.text-danger(ng-show="changePasswordForm.newPassword2.$error.areEqual && changePasswordForm.newPassword2.$dirty" aria-live="polite")
|
||||
| #{translate("doesnt_match")}
|
||||
| #{translate("doesnt_match")}
|
||||
span.small.text-danger(ng-show="!changePasswordForm.newPassword2.$error.areEqual && changePasswordForm.newPassword2.$invalid && changePasswordForm.newPassword2.$dirty" aria-live="polite")
|
||||
| #{translate("invalid_password")}
|
||||
| #{translate("invalid_password")}
|
||||
.form-group
|
||||
form-messages(aria-live="polite" for="changePasswordForm")
|
||||
.actions
|
||||
|
|
@ -158,16 +157,16 @@ block content
|
|||
|
||||
h3
|
||||
| #{translate("sharelatex_beta_program")}
|
||||
|
||||
|
||||
if (user.betaProgram)
|
||||
p.small
|
||||
| #{translate("beta_program_already_participating")}
|
||||
|
||||
|
||||
div
|
||||
a(id="beta-program-participate-link" href="/beta/participate") #{translate("manage_beta_program_membership")}
|
||||
|
||||
hr
|
||||
|
||||
|
||||
h3
|
||||
| #{translate("sessions")}
|
||||
|
||||
|
|
@ -183,7 +182,7 @@ block content
|
|||
if !externalAuthenticationSystemUsed() || (settings.createV1AccountOnLogin && settings.overleaf)
|
||||
|
||||
p.small
|
||||
| #{translate("newsletter_info_and_unsubscribe")}
|
||||
| #{translate("newsletter_info_and_unsubscribe")}
|
||||
a(
|
||||
href,
|
||||
ng-click="unsubscribe()",
|
||||
|
|
@ -205,7 +204,7 @@ block content
|
|||
| Please note: If you have linked your account with Overleaf
|
||||
| v2, then deleting your ShareLaTeX account will also delete
|
||||
| account and all of it's associated projects and data.
|
||||
p #{translate("need_to_leave")}
|
||||
p #{translate("need_to_leave")}
|
||||
a(href, ng-click="deleteAccount()") #{translate("delete_your_account")}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -3,17 +3,21 @@ import 'libs/passfield'
|
|||
App.directive('asyncForm', ($http, validateCaptcha, validateCaptchaV3) => ({
|
||||
controller: [
|
||||
'$scope',
|
||||
function($scope) {
|
||||
'$location',
|
||||
function($scope, $location) {
|
||||
this.getEmail = () => $scope.email
|
||||
this.getEmailFromQuery = () =>
|
||||
$location.search().email || $location.search().new_email
|
||||
return this
|
||||
}
|
||||
],
|
||||
link(scope, element, attrs) {
|
||||
link(scope, element, attrs, ctrl) {
|
||||
let response
|
||||
const formName = attrs.asyncForm
|
||||
|
||||
scope[attrs.name].response = response = {}
|
||||
scope[attrs.name].inflight = false
|
||||
scope.email = scope.email || ctrl.getEmailFromQuery() || attrs.newEmail
|
||||
|
||||
const validateCaptchaIfEnabled = function(callback) {
|
||||
if (attrs.captchaActionName) {
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ block content
|
|||
)
|
||||
.alert.alert-danger(ng-show="activationForm.response.error")
|
||||
| #{translate("activation_token_expired")}
|
||||
|
||||
|
||||
.form-group
|
||||
label(for='email') #{translate("email")}
|
||||
input.form-control(
|
||||
|
|
@ -35,7 +35,6 @@ block content
|
|||
placeholder="email@example.com"
|
||||
required,
|
||||
ng-model="email",
|
||||
ng-init="email = "+JSON.stringify(email),
|
||||
ng-model-options="{ updateOn: 'blur' }",
|
||||
disabled
|
||||
)
|
||||
|
|
|
|||
Loading…
Reference in a new issue