Headline
CVE-2023-3067: fix sanitization of autocomplete against XSS · zadam/trilium@4c3fcc3
Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.59.4.
Expand Up
@@ -307,7 +307,7 @@ function highlightSearchResults(searchResults, highlightedTokens) {
for (const result of searchResults) {
const note = becca.notes[result.noteId];
result.highlightedNotePathTitle = result.notePathTitle.replace('/[<\{\}]/g’, ‘’);
result.highlightedNotePathTitle = result.notePathTitle.replace(/[<{}]/g, ‘’);
if (highlightedTokens.find(token => note.type.includes(token))) {
result.highlightedNotePathTitle += ` "type: ${note.type}’`;
Expand Down