Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-08 17:34:19 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Security Fix JVN#86586539: Stored XSS.

Browse source 
Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7.
This commit is contained in:
Lauri Ojansivu 2025-10-10 23:14:06 +03:00
parent a0b94065c5
commit ee79cab7b2
9 changed files with 248 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

3
models/cardComments.js
View file

@ -1,6 +1,7 @@
import { ReactiveCache } from '/imports/reactiveCache';
import escapeForRegex from 'escape-string-regexp';
import DOMPurify from 'dompurify';
import { sanitizeText } from '/client/lib/secureDOMPurify';
CardComments = new Mongo.Collection('card_comments');
@ -103,7 +104,7 @@ CardComments.helpers({
},
toggleReaction(reactionCodepoint) {
if (reactionCodepoint !== DOMPurify.sanitize(reactionCodepoint)) {
if (reactionCodepoint !== sanitizeText(reactionCodepoint)) {
return false;
} else {