From a7c6851f006b8598cc8333a6ae751fe46fdd089f Mon Sep 17 00:00:00 2001 From: Jan Ackermann Date: Wed, 2 Oct 2024 11:12:39 +0200 Subject: [PATCH] Escape html in ActivitiesPanel and Notificiation --- packages/web-app-files/package.json | 1 + .../src/components/SideBar/ActivitiesPanel.vue | 5 ++++- packages/web-runtime/package.json | 5 +++-- .../src/components/Topbar/Notifications.vue | 3 ++- pnpm-lock.yaml | 12 +++++++++--- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/packages/web-app-files/package.json b/packages/web-app-files/package.json index c3317c3eda6..a97ffb490e2 100644 --- a/packages/web-app-files/package.json +++ b/packages/web-app-files/package.json @@ -15,6 +15,7 @@ "axios": "1.7.7", "design-system": "workspace:@ownclouders/design-system@*", "email-validator": "^2.0.4", + "escape-html": "^1.0.3", "filesize": "^10.1.0", "fuse.js": "7.0.0", "lodash-es": "4.17.21", diff --git a/packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue b/packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue index 1d58f00f027..933954651b9 100644 --- a/packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue +++ b/packages/web-app-files/src/components/SideBar/ActivitiesPanel.vue @@ -42,6 +42,7 @@ import { useTask } from 'vue-concurrency' import { call, Resource } from '@ownclouders/web-client' import { DateTime } from 'luxon' import { Activity } from '@ownclouders/web-client/graph/generated' +import escape from 'escape-html' const visibilityObserver = new VisibilityObserver() export default defineComponent({ @@ -82,7 +83,9 @@ export default defineComponent({ const getHtmlFromActivity = (activity: Activity) => { let message = activity.template.message for (const [key, value] of Object.entries(activity.template.variables)) { - message = message.replace(`{${key}}`, `${value.displayName || value.name}`) + const escapedValue = escape(value.displayName || value.name) + + message = message.replace(`{${key}}`, `${escapedValue}`) } return message } diff --git a/packages/web-runtime/package.json b/packages/web-runtime/package.json index b137fce7a82..3f56e8b6208 100644 --- a/packages/web-runtime/package.json +++ b/packages/web-runtime/package.json @@ -22,9 +22,10 @@ "deepmerge": "4.3.1", "design-system": "workspace:@ownclouders/design-system@*", "email-validator": "2.0.4", + "escape-html": "^1.0.3", "filesize": "^10.1.0", - "focus-trap-vue": "^4.0.1", "focus-trap": "7.6.0", + "focus-trap-vue": "^4.0.1", "fuse.js": "7.0.0", "lodash-es": "4.17.21", "luxon": "3.5.0", @@ -38,9 +39,9 @@ "semver": "7.6.3", "utf8": "^3.0.0", "uuid": "10.0.0", + "vue": "3.5.10", "vue-concurrency": "5.0.1", "vue-router": "4.2.5", - "vue": "3.5.10", "vue3-gettext": "2.4.0", "webdav": "5.7.1", "xml-js": "^1.6.11", diff --git a/packages/web-runtime/src/components/Topbar/Notifications.vue b/packages/web-runtime/src/components/Topbar/Notifications.vue index b13d7357123..5b9995b733e 100644 --- a/packages/web-runtime/src/components/Topbar/Notifications.vue +++ b/packages/web-runtime/src/components/Topbar/Notifications.vue @@ -90,6 +90,7 @@ import { useTask } from 'vue-concurrency' import { MESSAGE_TYPE } from '@ownclouders/web-client/sse' import { call } from '@ownclouders/web-client' import { AxiosHeaders } from 'axios' +import escape from 'escape-html' const POLLING_INTERVAL = 30000 @@ -138,7 +139,7 @@ export default { } interpolatedMessage = interpolatedMessage.replace( `{${param.name}}`, - `${label}` + `${escape(label)}` ) } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a310c0d207a..712b1ef7e90 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -703,6 +703,9 @@ importers: email-validator: specifier: ^2.0.4 version: 2.0.4 + escape-html: + specifier: ^1.0.3 + version: 1.0.3 filesize: specifier: ^10.1.0 version: 10.1.6 @@ -1161,6 +1164,9 @@ importers: email-validator: specifier: 2.0.4 version: 2.0.4 + escape-html: + specifier: ^1.0.3 + version: 1.0.3 filesize: specifier: ^10.1.0 version: 10.1.6 @@ -4907,7 +4913,7 @@ packages: resolution: {integrity: sha512-oWb1Z6mkHIskLzEJ/XWX0srkpkTQ7vaopMQkyaEIoq0fmtFVxOthb8cCxeT+p3ynTdkk/RZwbgG4brR5BeWECw==} engines: {node: '>= 4.0'} os: [darwin] - deprecated: Upgrade to fsevents v2 to mitigate potential security issues + deprecated: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2 fsevents@2.3.2: resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==} @@ -10280,7 +10286,7 @@ snapshots: '@cucumber/ci-environment': 9.1.0 '@cucumber/cucumber-expressions': 16.1.1 '@cucumber/gherkin': 26.0.3 - '@cucumber/gherkin-streams': 5.0.1(@cucumber/gherkin@26.0.3)(@cucumber/message-streams@4.0.1(@cucumber/messages@21.0.1))(@cucumber/messages@21.0.1) + '@cucumber/gherkin-streams': 5.0.1(@cucumber/gherkin@26.0.3)(@cucumber/message-streams@4.0.1(@cucumber/messages@26.0.1))(@cucumber/messages@21.0.1) '@cucumber/gherkin-utils': 8.0.2 '@cucumber/html-formatter': 20.2.1(@cucumber/messages@21.0.1) '@cucumber/message-streams': 4.0.1(@cucumber/messages@21.0.1) @@ -10318,7 +10324,7 @@ snapshots: yaml: 2.5.1 yup: 0.32.11 - '@cucumber/gherkin-streams@5.0.1(@cucumber/gherkin@26.0.3)(@cucumber/message-streams@4.0.1(@cucumber/messages@21.0.1))(@cucumber/messages@21.0.1)': + '@cucumber/gherkin-streams@5.0.1(@cucumber/gherkin@26.0.3)(@cucumber/message-streams@4.0.1(@cucumber/messages@26.0.1))(@cucumber/messages@21.0.1)': dependencies: '@cucumber/gherkin': 26.0.3 '@cucumber/message-streams': 4.0.1(@cucumber/messages@21.0.1)