Escape html in ActivitiesPanel and Notificiation

changelog/unreleased/bugfix-escape-html-characters-in-activities-and-notification-view

@@ -0,0 +1,7 @@
+Bugfix: Escape HTML characters in activities and notification view
+
+We've fixed a bug where HTML characters were not escaped in the activities and notification view.
+This could lead to potential XSS attacks.
+
+https://github.com/owncloud/web/pull/11706
+https://github.com/owncloud/web/issues/11705

packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue

@@ -42,6 +42,7 @@ import { useTask } from 'vue-concurrency'
 import { call, Resource } from '@ownclouders/web-client'
 import { DateTime } from 'luxon'
 import { Activity } from '@ownclouders/web-client/graph/generated'
+import escape from 'lodash-es/escape'
 
 const visibilityObserver = new VisibilityObserver()
 export default defineComponent({
@@ -82,7 +83,9 @@ export default defineComponent({
     const getHtmlFromActivity = (activity: Activity) => {
       let message = activity.template.message
       for (const [key, value] of Object.entries(activity.template.variables)) {
-        message = message.replace(`{${key}}`, `<strong>${value.displayName || value.name}</strong>`)
+        const escapedValue = escape(value.displayName || value.name)
+
+        message = message.replace(`{${key}}`, `<strong>${escapedValue}</strong>`)
       }
       return message
     }

packages/web-runtime/src/components/Topbar/Notifications.vue

@@ -75,6 +75,7 @@
 <script lang="ts">
 import { computed, onMounted, onUnmounted, ref, unref } from 'vue'
 import isEmpty from 'lodash-es/isEmpty'
+import escape from 'lodash-es/escape'
 import {
   useCapabilityStore,
   useSpacesStore,
@@ -138,7 +139,7 @@ export default {
             }
             interpolatedMessage = interpolatedMessage.replace(
               `{${param.name}}`,
-              `<strong>${label}</strong>`
+              `<strong>${escape(label)}</strong>`
             )
           }
         }