search

haiwen / seafile

High performance file syncing and sharing, with also Markdown WYSIWYG editing, Wiki, file label and other knowledge management features.
http://seafile.com/
Other
12.4k stars 1.55k forks source link

Sending Links with Passwords has no HTML escape #2830

Closed notenoughwoodsire closed 3 weeks ago

notenoughwoodsire commented 1 month ago

If one create a link with a password and sends it via mail in seafile, the password will be send without HTML escape. The message a User enters can also contain unescaped HTML.

This could lead to missing / wrong passwords after a "<" sign or for malicious use as external links could be injected into the code.

I used <h1>Hi</h1> to demonstrate this behaviour: image

also here a p=""> was added: image

A fix would be those replacements for the password and message variables in the code:

.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
imwhatiam commented 3 weeks ago

@notenoughwoodsire Hello, this issue does indeed exist, and we will be updating this part of the code soon.

freeplant commented 3 weeks ago

The fix will be included in the next release.