LailaTheElf/hedgedoc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Escape custom Open Graph tags

Browse Source 
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-05-09 15:25:59 +02:00
parent 87c83dcba5
commit 4a0216096a
No known key found for this signature in database
GPG Key ID: 185982BA4C42B7C3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/views/hedgedoc/head.ejs
View File

@ -7,7 +7,7 @@
<%- include('../includes/favicon') %> <%- include('../includes/favicon') %>
<% for (var og in opengraph) { %> <% for (var og in opengraph) { %>
<% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %> <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
<meta property="og:<%- og %>" content="<%- opengraph[og] %>"> <meta property="og:<%= og %>" content="<%= opengraph[og] %>">
<% }} if (!opengraph.hasOwnProperty('image')) { %> <% }} if (!opengraph.hasOwnProperty('image')) { %>
<meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png"> <meta property="og:image" content="<%- serverURL %>/icons/android-chrome-512x512.png">
<meta property="og:image:alt" content="HedgeDoc logo"> <meta property="og:image:alt" content="HedgeDoc logo">