mirror of
https://github.com/bitwarden/server.git
synced 2024-12-26 17:37:36 +01:00
[PM-3563] Prevent org name from injecting HTML into FD notes (#3219)
* prevent org name from injecting HTML into FD notes * htmlencode
This commit is contained in:
parent
e679d3127a
commit
257efe3f9a
@ -1,6 +1,7 @@
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using System.Reflection;
|
||||
using System.Text;
|
||||
using System.Web;
|
||||
using Bit.Billing.Models;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Settings;
|
||||
@ -77,7 +78,9 @@ public class FreshdeskController : Controller
|
||||
|
||||
foreach (var org in orgs)
|
||||
{
|
||||
var orgNote = $"{org.Name} ({org.Seats.GetValueOrDefault()}): " +
|
||||
// Prevent org names from injecting any additional HTML
|
||||
var orgName = HttpUtility.HtmlEncode(org.Name);
|
||||
var orgNote = $"{orgName} ({org.Seats.GetValueOrDefault()}): " +
|
||||
$"{_globalSettings.BaseServiceUri.Admin}/organizations/edit/{org.Id}";
|
||||
note += $"<li>Org, {orgNote}</li>";
|
||||
if (!customFields.Any(kvp => kvp.Key == _billingSettings.FreshDesk.OrgFieldName))
|
||||
|
Loading…
Reference in New Issue
Block a user