Security Fix JVN#86586539: Stored XSS.

Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7.
2025-12-17 16:00:13 +01:00 · 2025-10-10 23:14:06 +03:00 · 2025-10-10 23:14:06 +03:00 · ee79cab7b2
commit ee79cab7b2
parent a0b94065c5
9 changed files with 248 additions and 75 deletions
--- a/client/components/activities/activities.js
+++ b/client/components/activities/activities.js
@ -1,5 +1,6 @@
 import { ReactiveCache } from '/imports/reactiveCache';
 import DOMPurify from 'dompurify';
+import { sanitizeHTML, sanitizeText } from '/client/lib/secureDOMPurify';
 import { TAPi18n } from '/imports/i18n';

 const activitiesPerPage = 500;
@ -216,15 +217,11 @@ BlazeComponent.extendComponent({
            {
              href: source.url,
            },
-            DOMPurify.sanitize(source.system, {
-              ALLOW_UNKNOWN_PROTOCOLS: true,
-            }),
+            sanitizeHTML(source.system),
          ),
        );
      } else {
-        return DOMPurify.sanitize(source.system, {
-          ALLOW_UNKNOWN_PROTOCOLS: true,
-        });
+        return sanitizeHTML(source.system);
      }
    }
    return null;
@ -248,10 +245,10 @@ BlazeComponent.extendComponent({
              href: `${attachment.link()}?download=true`,
              target: '_blank',
            },
-            DOMPurify.sanitize(attachment.name),
+            sanitizeText(attachment.name),
          ),
        )) ||
-      DOMPurify.sanitize(this.currentData().activity.attachmentName)
+      sanitizeText(this.currentData().activity.attachmentName)
    );
  },

@ -265,7 +262,7 @@ BlazeComponent.extendComponent({

 Template.activity.helpers({
  sanitize(value) {
-    return DOMPurify.sanitize(value, { ALLOW_UNKNOWN_PROTOCOLS: true });
+    return sanitizeHTML(value);
  },
 });

@ -336,7 +333,7 @@ function createCardLink(card, board) {
          href: card.originRelativeUrl(),
          class: 'action-card',
        },
-        DOMPurify.sanitize(text, { ALLOW_UNKNOWN_PROTOCOLS: true }),
+        sanitizeHTML(text),
      ),
    )
  );
@ -353,7 +350,7 @@ function createBoardLink(board, list) {
          href: board.originRelativeUrl(),
          class: 'action-board',
        },
-        DOMPurify.sanitize(text, { ALLOW_UNKNOWN_PROTOCOLS: true }),
+        sanitizeHTML(text),
      ),
    )
  );