fix: Cross-Site Scripting (XSS) via HTML pages for password reset and email verification [GHSA-jhgf-2h8h-ggxv](https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv) (#9985)

2025-12-14 15:44:04 +01:00
parent 7028e0385c
commit 3074eb70f5
7 changed files with 89 additions and 21 deletions
--- a/public/de-AT/email_verification_link_expired.html
+++ b/public/de-AT/email_verification_link_expired.html
@@ -14,9 +14,9 @@
 <body>
  <h1>{{appName}}</h1>
  <h1>Expired verification link!</h1>
-  <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="token" type="hidden" value="{{{token}}}">
-    <input name="locale" type="hidden" value="{{{locale}}}">
+  <form method="POST" action="{{publicServerUrl}}/apps/{{appId}}/resend_verification_email">
+    <input name="token" type="hidden" value="{{token}}">
+    <input name="locale" type="hidden" value="{{locale}}">
    <button type="submit">Resend Link</button>
  </form>
 </body>
--- a/public/de-AT/password_reset.html
+++ b/public/de-AT/password_reset.html
@@ -23,11 +23,11 @@
  <p>You can set a new Password for your account: {{username}}</p>
  <br />
  <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
    <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />

    <p>New Password</p>
    <input name="new_password" type="password" id="password" />
--- a/public/de/email_verification_link_expired.html
+++ b/public/de/email_verification_link_expired.html
@@ -14,9 +14,9 @@
 <body>
  <h1>{{appName}}</h1>
  <h1>Expired verification link!</h1>
-  <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="token" type="hidden" value="{{{token}}}">
-    <input name="locale" type="hidden" value="{{{locale}}}">
+  <form method="POST" action="{{publicServerUrl}}/apps/{{appId}}/resend_verification_email">
+    <input name="token" type="hidden" value="{{token}}">
+    <input name="locale" type="hidden" value="{{locale}}">
    <button type="submit">Resend Link</button>
  </form>
 </body>
--- a/public/de/password_reset.html
+++ b/public/de/password_reset.html
@@ -23,11 +23,11 @@
  <p>You can set a new Password for your account: {{username}}</p>
  <br />
  <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
    <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />

    <p>New Password</p>
    <input name="new_password" type="password" id="password" />
--- a/public/email_verification_link_expired.html
+++ b/public/email_verification_link_expired.html
@@ -14,9 +14,9 @@
 <body>
  <h1>{{appName}}</h1>
  <h1>Expired verification link!</h1>
-  <form method="POST" action="{{{publicServerUrl}}}/apps/{{{appId}}}/resend_verification_email">
-    <input name="token" type="hidden" value="{{{token}}}">
-    <input name="locale" type="hidden" value="{{{locale}}}">
+  <form method="POST" action="{{publicServerUrl}}/apps/{{appId}}/resend_verification_email">
+    <input name="token" type="hidden" value="{{token}}">
+    <input name="locale" type="hidden" value="{{locale}}">
    <button type="submit">Resend Link</button>
  </form>
 </body>
--- a/public/password_reset.html
+++ b/public/password_reset.html
@@ -23,11 +23,11 @@
  <p>You can set a new Password for your account: {{username}}</p>
  <br />
  <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
    <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />

    <p>New Password</p>
    <input name="new_password" type="password" id="password" />