fixed Stored Cross Site Scripting (Authenticated) via Unvalidated Input

[ghost]

📊 Metadata *

Bounty URL:https://huntr.dev/bounties/7-other-monicahq/monica

⚙️ Description *

Fixed an XSS vulnerability in /settings/personalisation where a user can add a javascript: protocol to execute JavaScript code on their profile page.

💻 Technical Description *

Before loading the profile page I added a loop through the morphMap property of contactFieldTypes (the contact fields of the profile page) to replace any javascript: protocols with nothing (removing them).

🐛 Proof of Concept (PoC) *

In the /settings/personalisation page, create a new field type and set the protocol to javascript:, then save it. Now, click 'add' in the contact information box, select the field type you created and add any javascript, e.g. alert('xss').

🔥 Proof of Fix (PoF) *

Same as above, but the javascript now doesn't run.

👍 User Acceptance Testing (UAT)

N/A

[huntr-helper]

👋 Hello, @dependabot-preview[bot]. @bolshoytoster has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

---

☎️ Need further support?

Come and join us on our community Discord!

---

❓@dependabot-preview[bot] - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

[JamieSlome]

@asbiin - cc