1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-26 12:55:17 +01:00

[PM-3563] Prevent org name from injecting HTML into FD notes (#3219)

* prevent org name from injecting HTML into FD notes

* htmlencode
This commit is contained in:
Kyle Spearrin 2023-08-30 12:11:33 -04:00 committed by GitHub
parent e679d3127a
commit 257efe3f9a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,6 +1,7 @@
using System.ComponentModel.DataAnnotations; using System.ComponentModel.DataAnnotations;
using System.Reflection; using System.Reflection;
using System.Text; using System.Text;
using System.Web;
using Bit.Billing.Models; using Bit.Billing.Models;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Core.Settings; using Bit.Core.Settings;
@ -77,7 +78,9 @@ public class FreshdeskController : Controller
foreach (var org in orgs) foreach (var org in orgs)
{ {
var orgNote = $"{org.Name} ({org.Seats.GetValueOrDefault()}): " + // Prevent org names from injecting any additional HTML
var orgName = HttpUtility.HtmlEncode(org.Name);
var orgNote = $"{orgName} ({org.Seats.GetValueOrDefault()}): " +
$"{_globalSettings.BaseServiceUri.Admin}/organizations/edit/{org.Id}"; $"{_globalSettings.BaseServiceUri.Admin}/organizations/edit/{org.Id}";
note += $"<li>Org, {orgNote}</li>"; note += $"<li>Org, {orgNote}</li>";
if (!customFields.Any(kvp => kvp.Key == _billingSettings.FreshDesk.OrgFieldName)) if (!customFields.Any(kvp => kvp.Key == _billingSettings.FreshDesk.OrgFieldName))