From 3074eb70f5b58bf72b528ae7b7804ed2d90455ce Mon Sep 17 00:00:00 2001
From: Manuel <5673677+mtrezza@users.noreply.github.com>
Date: Sun, 14 Dec 2025 15:44:04 +0100
Subject: [PATCH] fix: Cross-Site Scripting (XSS) via HTML pages for password
 reset and email verification
 [GHSA-jhgf-2h8h-ggxv](https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv)
 (#9985)

---
 .../email_verification_link_expired.html      |  6 +-
 public/de-AT/password_reset.html              |  8 +--
 .../de/email_verification_link_expired.html   |  6 +-
 public/de/password_reset.html                 |  8 +--
 public/email_verification_link_expired.html   |  6 +-
 public/password_reset.html                    |  8 +--
 spec/PagesRouter.spec.js                      | 68 +++++++++++++++++++
 7 files changed, 89 insertions(+), 21 deletions(-)

diff --git a/public/de-AT/email_verification_link_expired.html b/public/de-AT/email_verification_link_expired.html
index cae39c7a..6a664c48 100644
--- a/public/de-AT/email_verification_link_expired.html
+++ b/public/de-AT/email_verification_link_expired.html
@@ -14,9 +14,9 @@
 <body>
   <h1>{{appName}}</h1>
   <h1>Expired verification link!</h1>
-  <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="token" type="hidden" value="{{{token}}}">
-    <input name="locale" type="hidden" value="{{{locale}}}">
+  <form method="POST" action="{{publicServerUrl}}/apps/{{appId}}/resend_verification_email">
+    <input name="token" type="hidden" value="{{token}}">
+    <input name="locale" type="hidden" value="{{locale}}">
     <button type="submit">Resend Link</button>
   </form>
 </body>
diff --git a/public/de-AT/password_reset.html b/public/de-AT/password_reset.html
index 49cb65b1..73cb1e3d 100644
--- a/public/de-AT/password_reset.html
+++ b/public/de-AT/password_reset.html
@@ -23,11 +23,11 @@
   <p>You can set a new Password for your account: {{username}}</p>
   <br />
   <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
     <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />
 
     <p>New Password</p>
     <input name="new_password" type="password" id="password" />
diff --git a/public/de/email_verification_link_expired.html b/public/de/email_verification_link_expired.html
index cae39c7a..6a664c48 100644
--- a/public/de/email_verification_link_expired.html
+++ b/public/de/email_verification_link_expired.html
@@ -14,9 +14,9 @@
 <body>
   <h1>{{appName}}</h1>
   <h1>Expired verification link!</h1>
-  <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="token" type="hidden" value="{{{token}}}">
-    <input name="locale" type="hidden" value="{{{locale}}}">
+  <form method="POST" action="{{publicServerUrl}}/apps/{{appId}}/resend_verification_email">
+    <input name="token" type="hidden" value="{{token}}">
+    <input name="locale" type="hidden" value="{{locale}}">
     <button type="submit">Resend Link</button>
   </form>
 </body>
diff --git a/public/de/password_reset.html b/public/de/password_reset.html
index 49cb65b1..73cb1e3d 100644
--- a/public/de/password_reset.html
+++ b/public/de/password_reset.html
@@ -23,11 +23,11 @@
   <p>You can set a new Password for your account: {{username}}</p>
   <br />
   <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
     <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />
 
     <p>New Password</p>
     <input name="new_password" type="password" id="password" />
diff --git a/public/email_verification_link_expired.html b/public/email_verification_link_expired.html
index cae39c7a..6a664c48 100644
--- a/public/email_verification_link_expired.html
+++ b/public/email_verification_link_expired.html
@@ -14,9 +14,9 @@
 <body>
   <h1>{{appName}}</h1>
   <h1>Expired verification link!</h1>
-  <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="token" type="hidden" value="{{{token}}}">
-    <input name="locale" type="hidden" value="{{{locale}}}">
+  <form method="POST" action="{{publicServerUrl}}/apps/{{appId}}/resend_verification_email">
+    <input name="token" type="hidden" value="{{token}}">
+    <input name="locale" type="hidden" value="{{locale}}">
     <button type="submit">Resend Link</button>
   </form>
 </body>
diff --git a/public/password_reset.html b/public/password_reset.html
index 49cb65b1..73cb1e3d 100644
--- a/public/password_reset.html
+++ b/public/password_reset.html
@@ -23,11 +23,11 @@
   <p>You can set a new Password for your account: {{username}}</p>
   <br />
   <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
     <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />
 
     <p>New Password</p>
     <input name="new_password" type="password" id="password" />
diff --git a/spec/PagesRouter.spec.js b/spec/PagesRouter.spec.js
index 0aa5bb35..009254df 100644
--- a/spec/PagesRouter.spec.js
+++ b/spec/PagesRouter.spec.js
@@ -1180,4 +1180,72 @@ describe('Pages Router', () => {
       });
     });
   });
+
+  describe('XSS Protection', () => {
+    beforeEach(async () => {
+      await reconfigureServer({
+        appId: 'test',
+        appName: 'exampleAppname',
+        publicServerURL: 'http://localhost:8378/1',
+        pages: { enableRouter: true },
+      });
+    });
+
+    it('should escape XSS payloads in token parameter', async () => {
+      const xssPayload = '"><script>alert("XSS")</script>';
+      const response = await request({
+        url: `http://localhost:8378/1/apps/choose_password?token=${encodeURIComponent(xssPayload)}&username=test&appId=test`,
+      });
+
+      expect(response.status).toBe(200);
+      expect(response.text).not.toContain('<script>alert("XSS")</script>');
+      expect(response.text).toContain('&quot;&gt;&lt;script&gt;');
+    });
+
+    it('should escape XSS in username parameter', async () => {
+      const xssUsername = '<img src=x onerror=alert(1)>';
+      const response = await request({
+        url: `http://localhost:8378/1/apps/choose_password?username=${encodeURIComponent(xssUsername)}&appId=test`,
+      });
+
+      expect(response.status).toBe(200);
+      expect(response.text).not.toContain('<img src=x onerror=alert(1)>');
+      expect(response.text).toContain('&lt;img');
+    });
+
+    it('should escape XSS in locale parameter', async () => {
+      const xssLocale = '"><svg/onload=alert(1)>';
+      const response = await request({
+        url: `http://localhost:8378/1/apps/choose_password?locale=${encodeURIComponent(xssLocale)}&appId=test`,
+      });
+
+      expect(response.status).toBe(200);
+      expect(response.text).not.toContain('<svg/onload=alert(1)>');
+      expect(response.text).toContain('&quot;&gt;&lt;svg');
+    });
+
+    it('should handle legitimate usernames with quotes correctly', async () => {
+      const username = "O'Brien";
+      const response = await request({
+        url: `http://localhost:8378/1/apps/choose_password?username=${encodeURIComponent(username)}&appId=test`,
+      });
+
+      expect(response.status).toBe(200);
+      // Should be properly escaped as HTML entity
+      expect(response.text).toContain('O&#39;Brien');
+      // Should NOT contain unescaped quote that breaks HTML
+      expect(response.text).not.toContain('value="O\'Brien"');
+    });
+
+    it('should handle legitimate usernames with ampersands correctly', async () => {
+      const username = 'Smith & Co';
+      const response = await request({
+        url: `http://localhost:8378/1/apps/choose_password?username=${encodeURIComponent(username)}&appId=test`,
+      });
+
+      expect(response.status).toBe(200);
+      // Should be properly escaped
+      expect(response.text).toContain('Smith &amp; Co');
+    });
+  });
 });