From 96ca0ed90fac1157076a23be605cb3122db98287 Mon Sep 17 00:00:00 2001 From: Wim Brand Date: Thu, 24 Dec 2020 00:07:40 +0100 Subject: [PATCH] Fix xss on account settings page --- res/include/md/acknowledgements.md | 3 ++- res/template/server_status.html | 4 ++-- webcontroller/user_settings.go | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/res/include/md/acknowledgements.md b/res/include/md/acknowledgements.md index be35221..50f9cd2 100644 --- a/res/include/md/acknowledgements.md +++ b/res/include/md/acknowledgements.md @@ -30,7 +30,8 @@ * 2020-12-06 Security researcher Arian Firoozfar reported a cross-site scripting vulnerability on the file viewer page. The issue was fixed the - following day. + following day. On the 26th another XSS vulnerability was found on the account + settings page, it was fixed later that day. * 2017-12-04 Security researcher Hangyi reported a cross-site scripting vulnerability on the file viewer page. The issue was fixed on the 6th. diff --git a/res/template/server_status.html b/res/template/server_status.html index fcb1db1..76df37e 100644 --- a/res/template/server_status.html +++ b/res/template/server_status.html @@ -16,8 +16,8 @@ {{template "page_menu" .}} -
- +
+
{{template "analytics"}} diff --git a/webcontroller/user_settings.go b/webcontroller/user_settings.go index ae70bb0..c655a3a 100644 --- a/webcontroller/user_settings.go +++ b/webcontroller/user_settings.go @@ -2,6 +2,7 @@ package webcontroller import ( "fmt" + "html" "html/template" "net/http" @@ -211,7 +212,7 @@ func (wc *WebController) usernameForm(td *TemplateData, r *http.Request) (f Form // Request was a success f.SubmitSuccess = true f.SubmitMessages = []template.HTML{template.HTML( - "Success! You are now " + f.FieldVal("new_username"), + "Success! You are now " + html.EscapeString(f.FieldVal("new_username")), )} } }