commit f62c3ade9e4eb7c08f72d2a7b56b6bab7c21e180
parent 6a053fac33bbcb647365e9c8d7463e35cda8f047
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Fri, 7 Apr 2023 14:01:26 -0700
fix notification thread name html exploit
Diffstat:
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/pkg/web/handlers/handlers.go b/pkg/web/handlers/handlers.go
@@ -20,6 +20,7 @@ import (
"github.com/notnil/chess"
_ "golang.org/x/image/bmp"
_ "golang.org/x/image/webp"
+ html2 "html"
"image"
_ "image/gif"
"image/png"
@@ -1986,7 +1987,8 @@ func ThreadReplyHandler(c echo.Context) error {
subs, _ := db.GetUsersSubscribedToForumThread(thread.ID)
for _, sub := range subs {
if sub.UserID != authUser.ID {
- msg := fmt.Sprintf(`New reply in thread "<a href="/t/%s#%s">%s</a>"`, thread.UUID, message.UUID, thread.Name)
+ threadName := html2.EscapeString(thread.Name)
+ msg := fmt.Sprintf(`New reply in thread "<a href="/t/%s#%s">%s</a>"`, thread.UUID, message.UUID, threadName)
db.CreateNotification(msg, sub.UserID)
}
}
