IlyaSobolev/DocSpace-client
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed Bug 63728 - Settings: Customization. Xss script inserted into the Welcome Page line breaks the authorization page.

Browse Source
This commit is contained in:
Timofey Boyko 2023-08-22 12:16:14 +03:00
parent 83d4daf9e1
commit f182292c44
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/login/src/server/lib/template.ts
View File

@ -49,9 +49,17 @@ const template: Template = (
});
}
const initialLoginStateStringify = JSON.stringify(initLoginState);
const initialLoginStateString = initialLoginStateStringify.includes(
"</script>"
)
? initialLoginStateStringify.replace(/<\/script>/g, "<\\/script>")
: initialLoginStateStringify;
const scripts = `
<script id="__ASC_INITIAL_LOGIN_STATE__">
window.__ASC_INITIAL_LOGIN_STATE__ = ${JSON.stringify(initLoginState)}
window.__ASC_INITIAL_LOGIN_STATE__ = ${initialLoginStateString}
</script>
<script id="__ASC_INITIAL_LOGIN_I18N__">
window.initialI18nStoreASC = ${JSON.stringify(initialI18nStoreASC)}