Security Fix JVN#86586539: Stored XSS.

Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7.
2025-12-16 07:20:12 +01:00 · 2025-10-10 23:14:06 +03:00 · 2025-10-10 23:14:06 +03:00 · ee79cab7b2
commit ee79cab7b2
parent a0b94065c5
9 changed files with 248 additions and 75 deletions
--- a/models/cardComments.js
+++ b/models/cardComments.js
@ -1,6 +1,7 @@
 import { ReactiveCache } from '/imports/reactiveCache';
 import escapeForRegex from 'escape-string-regexp';
 import DOMPurify from 'dompurify';
+import { sanitizeText } from '/client/lib/secureDOMPurify';

 CardComments = new Mongo.Collection('card_comments');

@ -103,7 +104,7 @@ CardComments.helpers({
  },

  toggleReaction(reactionCodepoint) {
-    if (reactionCodepoint !== DOMPurify.sanitize(reactionCodepoint)) {
+    if (reactionCodepoint !== sanitizeText(reactionCodepoint)) {
      return false;
    } else {

--- a/models/cards.js
+++ b/models/cards.js
@ -1756,10 +1756,20 @@ Cards.helpers({
  },

  setTitle(title) {
+    // Sanitize title on client side as well
+    let sanitizedTitle = title;
+    if (typeof title === 'string') {
+      const { sanitizeTitle } = require('/server/lib/inputSanitizer');
+      sanitizedTitle = sanitizeTitle(title);
+      if (process.env.DEBUG === 'true' && sanitizedTitle !== title) {
+        console.warn('Client-side sanitized card title:', title, '->', sanitizedTitle);
+      }
+    }
+
    if (this.isLinkedBoard()) {
-      return Boards.update({ _id: this.linkedId }, { $set: { title } });
+      return Boards.update({ _id: this.linkedId }, { $set: { title: sanitizedTitle } });
    } else {
-      return Cards.update({ _id: this.getRealId() }, { $set: { title } });
+      return Cards.update({ _id: this.getRealId() }, { $set: { title: sanitizedTitle } });
    }
  },

@ -3565,7 +3575,13 @@ JsonRoutes.add('GET', '/api/boards/:boardId/cards_count', function(
      Authentication.checkBoardAccess(req.userId, paramBoardId);

      if (req.body.title) {
-        const newTitle = req.body.title;
+        const { sanitizeTitle } = require('/server/lib/inputSanitizer');
+        const newTitle = sanitizeTitle(req.body.title);
+
+        if (process.env.DEBUG === 'true' && newTitle !== req.body.title) {
+          console.warn('Sanitized card title input:', req.body.title, '->', newTitle);
+        }
+
        Cards.direct.update(
          {
            _id: paramCardId,
--- a/models/lists.js
+++ b/models/lists.js
@ -313,6 +313,15 @@ Lists.helpers({

 Lists.mutations({
  rename(title) {
+    // Sanitize title on client side as well
+    if (typeof title === 'string') {
+      const { sanitizeTitle } = require('/server/lib/inputSanitizer');
+      const sanitizedTitle = sanitizeTitle(title);
+      if (process.env.DEBUG === 'true' && sanitizedTitle !== title) {
+        console.warn('Client-side sanitized list title:', title, '->', sanitizedTitle);
+      }
+      return { $set: { title: sanitizedTitle } };
+    }
    return { $set: { title } };
  },
  star(enable = true) {
@ -644,7 +653,13 @@ if (Meteor.isServer) {

      // Update title if provided
      if (req.body.title) {
-        const newTitle = req.body.title;
+        const { sanitizeTitle } = require('/server/lib/inputSanitizer');
+        const newTitle = sanitizeTitle(req.body.title);
+
+        if (process.env.DEBUG === 'true' && newTitle !== req.body.title) {
+          console.warn('Sanitized list title input:', req.body.title, '->', newTitle);
+        }
+
        Lists.direct.update(
          {
            _id: paramListId,