Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(theming): Harden admin theming settings #50293

Merged
merged 3 commits into from
Jan 27, 2025
Merged

fix(theming): Harden admin theming settings #50293

merged 3 commits into from
Jan 27, 2025

Conversation

susnux
Copy link
Contributor

@susnux susnux commented Jan 21, 2025
edited
Loading

Summary

Ensure there is no " within the link to prevent XSS.
This is not a security issue as per our threat model as this can only be set by admin and admin can do everything.
But its hardens it (e.g. accidentally using an URL containing a double quote).

Checklist

@susnux susnux added this to the Nextcloud 31 milestone Jan 21, 2025
@susnux susnux requested review from artonge, nfebe and Pytal January 21, 2025 15:06
@susnux
Copy link
Contributor Author

susnux commented Jan 21, 2025

/backport to stable30

@susnux
Copy link
Contributor Author

susnux commented Jan 21, 2025

/backport to stable29

@Altahrim Altahrim mentioned this pull request Jan 21, 2025
Merged
@susnux susnux force-pushed the fix/harden-admin-settings branch from 2442f6b to 44b8d85 Compare January 21, 2025 15:48
@Altahrim Altahrim mentioned this pull request Jan 23, 2025
Merged
@AndyScherzinger
Copy link
Member

/backport to stable31

susnux added 3 commits January 27, 2025 14:20
@susnux
fix(theming): Harden admin web link settings
ff835fa 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux
fix(theming): Ensure to only send valid URLs to backend
4dac813 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux
chore: Compile assets
8aa3a15 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the fix/harden-admin-settings branch from 44b8d85 to 8aa3a15 Compare January 27, 2025 13:22
@AndyScherzinger AndyScherzinger merged commit 6dc83b9 into master Jan 27, 2025
190 checks passed
@AndyScherzinger AndyScherzinger deleted the fix/harden-admin-settings branch January 27, 2025 17:55
This was referenced Jan 27, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@artonge artonge artonge approved these changes

@Pytal Pytal Pytal approved these changes

@nfebe nfebe Awaiting requested review from nfebe

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug feature: theming
Projects
None yet
Milestone
Nextcloud 32
Development

Successfully merging this pull request may close these issues.
4 participants
@susnux @AndyScherzinger @artonge @Pytal