fix: Cross-Site Scripting (XSS) via HTML pages for password reset and email verification [GHSA-jhgf-2h8h-ggxv](https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv) (#9985)

2025-12-14 15:44:04 +01:00
parent 7028e0385c
commit 3074eb70f5
7 changed files with 89 additions and 21 deletions
--- a/public/de-AT/password_reset.html
+++ b/public/de-AT/password_reset.html
@@ -23,11 +23,11 @@
  <p>You can set a new Password for your account: {{username}}</p>
  <br />
  <p>{{error}}</p>  
-  <form id='form' action='{{{publicServerUrl}}}/apps/{{{appId}}}/request_password_reset' method='POST'>
+  <form id='form' action='{{publicServerUrl}}/apps/{{appId}}/request_password_reset' method='POST'>
    <input name='utf-8' type='hidden' value='✓' />
-    <input name="username" type="hidden" id="username" value="{{{username}}}" />
-    <input name="token" type="hidden" id="token" value="{{{token}}}" />
-    <input name="locale" type="hidden" id="locale" value="{{{locale}}}" />
+    <input name="username" type="hidden" id="username" value="{{username}}" />
+    <input name="token" type="hidden" id="token" value="{{token}}" />
+    <input name="locale" type="hidden" id="locale" value="{{locale}}" />

    <p>New Password</p>
    <input name="new_password" type="password" id="password" />