Try to fix some security issue.

Thanks to Responsible Security Disclousure contributors and xet7 !
2025-04-23 13:37:09 -04:00 · 2023-02-28 14:16:08 +02:00 · 2023-02-28 14:16:08 +02:00 · 5d79c231ed
commit 5d79c231ed
parent 972f0481e5
1 changed files with 34 additions and 29 deletions
--- a/models/cardComments.js
+++ b/models/cardComments.js
@ -1,4 +1,5 @@
 import escapeForRegex from 'escape-string-regexp';
+import DOMPurify from 'dompurify';

 CardComments = new Mongo.Collection('card_comments');

@ -101,39 +102,43 @@ CardComments.helpers({
  },

  toggleReaction(reactionCodepoint) {
-
-    const cardCommentReactions = CardCommentReactions.findOne({cardCommentId: this._id});
-    const reactions = !!cardCommentReactions ? cardCommentReactions.reactions : [];
-    const userId = Meteor.userId();
-    const reaction = reactions.find(r => r.reactionCodepoint === reactionCodepoint);
-
-    // If no reaction is set for the codepoint, add this
-    if (!reaction) {
-      reactions.push({ reactionCodepoint, userIds: [userId] });
+    if (reactionCodepoint !== DOMPurify.sanitize(reactionCodepoint)) {
+      return false;
    } else {

-      // toggle user reaction upon previous reaction state
-      const userHasReacted = reaction.userIds.includes(userId);
-      if (userHasReacted) {
-        reaction.userIds.splice(reaction.userIds.indexOf(userId), 1);
-        if (reaction.userIds.length === 0) {
-          reactions.splice(reactions.indexOf(reaction), 1);
-        }
+      const cardCommentReactions = CardCommentReactions.findOne({cardCommentId: this._id});
+      const reactions = !!cardCommentReactions ? cardCommentReactions.reactions : [];
+      const userId = Meteor.userId();
+      const reaction = reactions.find(r => r.reactionCodepoint === reactionCodepoint);
+
+      // If no reaction is set for the codepoint, add this
+      if (!reaction) {
+        reactions.push({ reactionCodepoint, userIds: [userId] });
      } else {
-        reaction.userIds.push(userId);
-      }
-    }

-    // If no reaction doc exists yet create otherwise update reaction set
-    if (!!cardCommentReactions) {
-      return CardCommentReactions.update({ _id: cardCommentReactions._id }, { $set: { reactions } });
-    } else {
-      return CardCommentReactions.insert({
-        boardId: this.boardId,
-        cardCommentId: this._id,
-        cardId: this.cardId,
-        reactions
-      });
+        // toggle user reaction upon previous reaction state
+        const userHasReacted = reaction.userIds.includes(userId);
+        if (userHasReacted) {
+          reaction.userIds.splice(reaction.userIds.indexOf(userId), 1);
+          if (reaction.userIds.length === 0) {
+            reactions.splice(reactions.indexOf(reaction), 1);
+          }
+        } else {
+          reaction.userIds.push(userId);
+        }
+      }
+
+      // If no reaction doc exists yet create otherwise update reaction set
+      if (!!cardCommentReactions) {
+        return CardCommentReactions.update({ _id: cardCommentReactions._id }, { $set: { reactions } });
+      } else {
+        return CardCommentReactions.insert({
+          boardId: this.boardId,
+          cardCommentId: this._id,
+          cardId: this.cardId,
+          reactions
+        });
+      }
    }
  }
 });