fix(nocodb): prevent reflected XSS in password reset and email verify templates

2026-06-02 01:11:33 +00:00 · 2026-03-23 07:36:12 +00:00
parent 3abcf3840a
commit c6de252f3f
2 changed files with 4 additions and 4 deletions
--- a/packages/nocodb/src/modules/auth/ui/auth/emailVerify.ts
+++ b/packages/nocodb/src/modules/auth/ui/auth/emailVerify.ts
@@ -9,7 +9,7 @@ export default `<!DOCTYPE html>
    <script src="<%= ncPublicUrl %>/js/vue.2.6.14.min.js"></script>
 </head>
 <body>
-<div id="app">
+<div id="app" data-token="<%= token %>">
    <v-app>
    <v-container>
        <v-row class="justify-center">
@@ -42,7 +42,7 @@ export default `<!DOCTYPE html>
      valid: null,
      errMsg: null,
      validForm: false,
-      token: '<%= token %>',
+      token: document.getElementById('app').dataset.token,
      greeting: 'Password Reset',
      formdata: {
        password: '',
--- a/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts
+++ b/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts
@@ -9,7 +9,7 @@ export default `<!DOCTYPE html>
    <script src="<%= ncPublicUrl %>/js/vue.2.6.14.min.js"></script>
 </head>
 <body>
-<div id="app">
+<div id="app" data-token="<%= token %>">
    <v-app>
        <v-container>
            <v-row class="justify-center">
@@ -68,7 +68,7 @@ export default `<!DOCTYPE html>
    data: {
      valid: null,
      validForm: false,
-      token: '<%= token %>',
+      token: document.getElementById('app').dataset.token,
      greeting: 'Password Reset',
      formdata: {
        password: '',