FB

src/server/routes/apiv3/app-settings.js

@@ -284,8 +284,8 @@ module.exports = (crowi) => {
    */
   router.put('/app-setting', loginRequiredStrictly, adminRequired, csrf, validator.appSetting, apiV3FormValidator, async(req, res) => {
     const requestAppSettingParams = {
-      'app:title': crowi.xss.process(req.body.title),
-      'app:confidential': crowi.xss.process(req.body.confidential),
+      'app:title': req.body.title,
+      'app:confidential': req.body.confidential,
       'app:globalLang': req.body.globalLang,
       'app:fileUpload': req.body.fileUpload,
     };

src/server/views/installer.html

@@ -10,7 +10,7 @@
 
   <meta name="viewport" content="width=device-width,initial-scale=1">
 
-  <meta name="apple-mobile-web-app-title" content="{{ appService.getAppTitle() }}">
+  <meta name="apple-mobile-web-app-title" content="{{ appService.getAppTitle() | preventXss }}">
 
   {% include './widget/headers/favicon.html' %}
   {% include './widget/headers/ie11-polyfills.html' %}

src/server/views/layout/layout.html

@@ -10,7 +10,7 @@
 
   <meta name="viewport" content="width=device-width,initial-scale=1">
 
-  <meta name="apple-mobile-web-app-title" content="{{ appService.getAppTitle() }}">
+  <meta name="apple-mobile-web-app-title" content="{{ appService.getAppTitle() | preventXss }}">
 
   {{ getConfig('crowi', 'customize:header') | default('') }}
 

src/server/views/login.html

@@ -34,7 +34,7 @@
     <div class="col-md-12">
       <div class="login-header mx-auto">
         <div class="logo mb-3">{% include 'widget/logo.html' %}</div>
-        <h1>{{ appService.getAppTitle() }}</h1>
+        <h1>{{ appService.getAppTitle() | preventXss }}</h1>
 
           <div class="login-form-errors px-3">
             {% if isLdapSetupFailed() %}