github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-06-05 09:34:37 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Prevented possible XSS via link attachments

Browse Source 
This filters out potentially malicious javascript: or data: uri's coming
through to be attached to attachments.
Added tests to cover.

Thanks to Yassine ABOUKIR (@yassineaboukir on twitter) for reporting this
vulnerability.
This commit is contained in:
Dan Brown
2020-10-31 15:01:52 +00:00
parent 18bcafaee4
commit 349162ea13
5 changed files with 80 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
resources/lang/en/validation.php
View File

@ -90,6 +90,7 @@ return [
'required_without' => 'The :attribute field is required when :values is not present.',
'required_without_all' => 'The :attribute field is required when none of :values are present.',
'same' => 'The :attribute and :other must match.',
'safe_url' => 'The provided link may not be safe.',
'size' => [
'numeric' => 'The :attribute must be :size.',
'file' => 'The :attribute must be :size kilobytes.',