Escape html in ActivitiesPanel and Notificiation

owncloud · Oct 2, 2024 · a7c6851 · a7c6851
1 parent 4d2cd6c
commit a7c6851
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 7 deletions.
diff --git a/packages/web-app-files/package.json b/packages/web-app-files/package.json
@@ -15,6 +15,7 @@
     "axios": "1.7.7",
     "design-system": "workspace:@ownclouders/design-system@*",
     "email-validator": "^2.0.4",
+    "escape-html": "^1.0.3",
     "filesize": "^10.1.0",
     "fuse.js": "7.0.0",
     "lodash-es": "4.17.21",

diff --git a/packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue b/packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue
@@ -42,6 +42,7 @@ import { useTask } from 'vue-concurrency'
 import { call, Resource } from '@ownclouders/web-client'
 import { DateTime } from 'luxon'
 import { Activity } from '@ownclouders/web-client/graph/generated'
+import escape from 'escape-html'
 
 const visibilityObserver = new VisibilityObserver()
 export default defineComponent({
@@ -82,7 +83,9 @@ export default defineComponent({
     const getHtmlFromActivity = (activity: Activity) => {
       let message = activity.template.message
       for (const [key, value] of Object.entries(activity.template.variables)) {
-        message = message.replace(`{${key}}`, `<strong>${value.displayName || value.name}</strong>`)
+        const escapedValue = escape(value.displayName || value.name)
+
+        message = message.replace(`{${key}}`, `<strong>${escapedValue}</strong>`)
       }
       return message
     }

diff --git a/packages/web-runtime/package.json b/packages/web-runtime/package.json
@@ -22,9 +22,10 @@
     "deepmerge": "4.3.1",
     "design-system": "workspace:@ownclouders/design-system@*",
     "email-validator": "2.0.4",
+    "escape-html": "^1.0.3",
     "filesize": "^10.1.0",
-    "focus-trap-vue": "^4.0.1",
     "focus-trap": "7.6.0",
+    "focus-trap-vue": "^4.0.1",
     "fuse.js": "7.0.0",
     "lodash-es": "4.17.21",
     "luxon": "3.5.0",
@@ -38,9 +39,9 @@
     "semver": "7.6.3",
     "utf8": "^3.0.0",
     "uuid": "10.0.0",
+    "vue": "3.5.10",
     "vue-concurrency": "5.0.1",
     "vue-router": "4.2.5",
-    "vue": "3.5.10",
     "vue3-gettext": "2.4.0",
     "webdav": "5.7.1",
     "xml-js": "^1.6.11",

diff --git a/packages/web-runtime/src/components/Topbar/Notifications.vue b/packages/web-runtime/src/components/Topbar/Notifications.vue
@@ -90,6 +90,7 @@ import { useTask } from 'vue-concurrency'
 import { MESSAGE_TYPE } from '@ownclouders/web-client/sse'
 import { call } from '@ownclouders/web-client'
 import { AxiosHeaders } from 'axios'
+import escape from 'escape-html'
 
 const POLLING_INTERVAL = 30000
 
@@ -138,7 +139,7 @@ export default {
             }
             interpolatedMessage = interpolatedMessage.replace(
               `{${param.name}}`,
-              `<strong>${label}</strong>`
+              `<strong>${escape(label)}</strong>`
             )
           }
         }

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml