paulmataruso/zulip-desktop
1
0
Fork 0
mirror of https://github.com/zulip/zulip-desktop.git synced 2025-11-01 20:43:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2020-24582: Escape all strings interpolated into HTML.

Browse Source 
Also fix various variable names to consistently indicate which strings
contain HTML.

Some of these changes close cross-site scripting vulnerabilities, and
others are for consistency.  It’s important to be meticulously
consistent about escaping so that changes that would introduce
vulnerabilities stand out as obviously wrong.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2020-08-24 19:37:37 -07:00
parent b7240e1c40
commit a9d59b3dcd
23 changed files with 170 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/main/request.ts
View File

@@ -4,7 +4,6 @@ import path from 'path';
import stream from 'stream';
import util from 'util';
import escape from 'escape-html';
import getStream from 'get-stream';
import {ServerConf} from '../renderer/js/utils/domain-util';
@@ -73,7 +72,7 @@ export const _getServerSettings = async (domain: string, session: Electron.sessi
// Following check handles both the cases
icon: realm_icon.startsWith('/') ? realm_uri + realm_icon : realm_icon,
url: realm_uri,
alias: escape(realm_name)
alias: realm_name
};
};