diff options
author | Marc Hartmayer <hello@hartmayer.com> | 2020-06-07 22:58:56 +0200 |
---|---|---|
committer | Marc Hartmayer <hello@hartmayer.com> | 2020-06-07 23:22:04 +0200 |
commit | fb44df981581354bf23a6928427ad2bf73c4550f (patch) | |
tree | 82550bf4323dd6f7435afacbf248d16180e7de9e /client/components/activities/activities.js | |
parent | 1f85b25549b50602380f1745f19e5fe44fe36d6f (diff) | |
download | wekan-fb44df981581354bf23a6928427ad2bf73c4550f.tar.gz wekan-fb44df981581354bf23a6928427ad2bf73c4550f.tar.bz2 wekan-fb44df981581354bf23a6928427ad2bf73c4550f.zip |
WIP: XSS fixes
Diffstat (limited to 'client/components/activities/activities.js')
-rw-r--r-- | client/components/activities/activities.js | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/client/components/activities/activities.js b/client/components/activities/activities.js index 5d356f6e..b6635da1 100644 --- a/client/components/activities/activities.js +++ b/client/components/activities/activities.js @@ -1,3 +1,5 @@ +import sanitizeXss from 'xss'; + const activitiesPerPage = 20; BlazeComponent.extendComponent({ @@ -57,7 +59,7 @@ BlazeComponent.extendComponent({ return checkItem && checkItem.title; }, - boardLabel() { + boardLabelLink() { const data = this.currentData(); if (data.mode !== 'board') { return createBoardLink(data.activity.board(), data.activity.listName); @@ -65,10 +67,10 @@ BlazeComponent.extendComponent({ return TAPi18n.__('this-board'); }, - cardLabel() { + cardLabelLink() { const data = this.currentData(); if (data.mode !== 'card') { - return createCardLink(this.currentData().activity.card()); + return createCardLink(data.activity.card()); } return TAPi18n.__('this-card'); }, @@ -134,11 +136,11 @@ BlazeComponent.extendComponent({ { href: source.url, }, - source.system, + sanitizeXss(source.system), ), ); } else { - return source.system; + return sanitizeXss(source.system); } } return null; @@ -162,10 +164,10 @@ BlazeComponent.extendComponent({ href: attachment.url({ download: true }), target: '_blank', }, - attachment.name(), + sanitizeXss(attachment.name()), ), )) || - this.currentData().activity.attachmentName + sanitizeXss(this.currentData().activity.attachmentName) ); }, @@ -202,7 +204,15 @@ BlazeComponent.extendComponent({ }, }).register('activity'); +Template.activity.helpers({ + sanitize(value) { + return sanitizeXss(value); + }, +}); + function createCardLink(card) { + if (!card) + return ''; return ( card && Blaze.toHTML( @@ -211,7 +221,7 @@ function createCardLink(card) { href: card.absoluteUrl(), class: 'action-card', }, - card.title, + sanitizeXss(card.title), ), ) ); @@ -228,7 +238,7 @@ function createBoardLink(board, list) { href: board.absoluteUrl(), class: 'action-board', }, - text, + sanitizeXss(text), ), ) ); |