fix: #9636, sanitize all attributes in meta and link tags

4 years ago · 849049765b
parent 09bac6bd7e
commit 849049765b
2 changed files with 17 additions and 13 deletions
--- a/public/src/modules/helpers.js
+++ b/public/src/modules/helpers.js
@ -68,13 +68,8 @@
 	}

 	function buildLinkTag(tag) {
-		var link = tag.link ? 'link="' + tag.link + '" ' : '';
-		var rel = tag.rel ? 'rel="' + tag.rel + '" ' : '';
-		var as = tag.as ? 'as="' + tag.as + '" ' : '';
-		var type = tag.type ? 'type="' + tag.type + '" ' : '';
-		var href = tag.href ? 'href="' + tag.href + '" ' : '';
-		var sizes = tag.sizes ? 'sizes="' + tag.sizes + '" ' : '';
-		var title = tag.title ? 'title="' + tag.title + '" ' : '';
+		const attributes = ['link', 'rel', 'as', 'type', 'href', 'sizes', 'title'];
+		const [link, rel, as, type, href, sizes, title] = attributes.map(attr => (tag[attr] ? `${attr}="${tag[attr]}" ` : ''));

 		return '<link ' + link + rel + as + type + sizes + title + href + '/>\n\t';
 	}
--- a/src/meta/tags.js
+++ b/src/meta/tags.js
@ -154,7 +154,10 @@ Tags.parse = async (req, data, meta, link) => {
 		}

 		if (!tag.noEscape) {
-			tag.content = utils.escapeHTML(String(tag.content));
+			const attributes = Object.keys(tag);
+			attributes.forEach((attr) => {
+				tag[attr] = utils.escapeHTML(String(tag[attr]));
+			});
 		}

 		return tag;
@ -168,12 +171,18 @@ Tags.parse = async (req, data, meta, link) => {
 	addIfNotExists(meta, 'name', 'description', Meta.config.description);
 	addIfNotExists(meta, 'property', 'og:description', Meta.config.description);

-	link = results.links.links.concat(link || []);
+	link = results.links.links.concat(link || []).map((tag) => {
+		if (!tag.noEscape) {
+			const attributes = Object.keys(tag);
+			attributes.forEach((attr) => {
+				tag[attr] = utils.escapeHTML(String(tag[attr]));
+			});
+		}
+
+		return tag;
+	});

-	return {
-		meta: meta,
-		link: link,
-	};
+	return { meta, link };
 };

 function addIfNotExists(meta, keyName, tagName, value) {