3.0.7

Fix potential vulnerability in item label field
nilsteampassnet · May 9, 2023 · 57a977c · 57a977c
1 parent fc0edc8
commit 57a977c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/pages/items.js.php b/pages/items.js.php
@@ -2794,15 +2794,15 @@ function(teampassApplication) {
                 var data = {
                     'anyone_can_modify': $('#form-item-anyoneCanModify').is(':checked') ? 1 : 0,
                     'complexity_level': parseInt($('#form-item-password-complex').val()),
-                    'description': $('#form-item-description').summernote('code') !== "<p><br></p>" ? DOMPurify.sanitize($('#form-item-description').summernote('code'), {USE_PROFILES: {html: true}}) : '',
+                    'description': $('#form-item-description').summernote('code') !== "<p><br></p>" ? DOMPurify.sanitize($('#form-item-description').summernote('code'), {USE_PROFILES: {html: true, svg: false, svgFilters: false}}) : '',
                     'diffusion_list': diffusion,
                     'diffusion_list_names': diffusionNames,
                     'folder': parseInt($('#form-item-folder').val()),
                     'email': DOMPurify.sanitize($('#form-item-email').val()),
                     'fields': fields,
                     'folder_is_personal': store.get('teampassItem').IsPersonalFolder === 1 ? 1 : 0,
                     'id': store.get('teampassItem').id,
-                    'label': DOMPurify.sanitize($('#form-item-label').val()),
+                    'label': DOMPurify.sanitize($('#form-item-label').val(), {USE_PROFILES: {html:false, svg: false, svgFilters: false}}),
                     'login': DOMPurify.sanitize($('#form-item-login').val()),
                     'pw': $('#form-item-password').val(),
                     'restricted_to': restriction,