BookStack Code Mirror - bookstack/commit

]> BookStack Code Mirror - bookstack/commit

author	Dan Brown <redacted>
	Sat, 31 Oct 2020 15:01:52 +0000 (15:01 +0000)
committer	Dan Brown <redacted>
	Sat, 31 Oct 2020 15:01:52 +0000 (15:01 +0000)
commit	349162ea139556b2d25e09e155cec84e21cc9227
tree	4f6299476135a1addf64288b277288e50df13f12	tree \| snapshot
parent	18bcafaee46d249ae4d71ed75872af326c8a87eb	commit \| diff

Prevented possible XSS via link attachments

This filters out potentially malicious javascript: or data: uri's coming
through to be attached to attachments.
Added tests to cover.

Thanks to Yassine ABOUKIR (@yassineaboukir on twitter) for reporting this
vulnerability.

The core source code for the BookStack project.

RSS Atom

app/Http/Controllers/AttachmentController.php		diff \| blob \| history
app/Providers/AppServiceProvider.php		diff \| blob \| history
app/Uploads/AttachmentService.php		diff \| blob \| history
resources/lang/en/validation.php		diff \| blob \| history
tests/Uploads/AttachmentTest.php		diff \| blob \| history