Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 23:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Security Fix JVN#86586539: Stored XSS.

Browse source 
Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7.
This commit is contained in:
Lauri Ojansivu 2025-10-10 23:14:06 +03:00
parent a0b94065c5
commit ee79cab7b2
9 changed files with 248 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

7
client/components/cards/attachments.js
View file

@ -1,6 +1,7 @@
import { ReactiveCache } from '/imports/reactiveCache';
import { ObjectID } from 'bson';
import DOMPurify from 'dompurify';
import { sanitizeHTML, sanitizeText } from '/client/lib/secureDOMPurify';
import uploadProgressManager from '/client/lib/uploadProgressManager';
const filesize = require('filesize');
@ -269,7 +270,7 @@ Template.attachmentGallery.helpers({
return ret;
},
sanitize(value) {
return DOMPurify.sanitize(value);
return sanitizeHTML(value);
},
});
@ -360,7 +361,7 @@ export function handleFileUpload(card, files) {
}
const fileId = new ObjectID().toString();
let fileName = DOMPurify.sanitize(file.name);
let fileName = sanitizeText(file.name);
// If sanitized filename is not same as original filename,
// it could be XSS that is already fixed with sanitize,
@ -566,7 +567,7 @@ BlazeComponent.extendComponent({
const name = this.$('.js-edit-attachment-name')[0]
.value
.trim() + this.data().extensionWithDot;
if (name === DOMPurify.sanitize(name)) {
if (name === sanitizeText(name)) {
Meteor.call('renameAttachment', this.data()._id, name);
}
Popup.back();