Community

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Content Security Policy and unsafe-inline

NodeBB Development

1 Posts 1 Posters 122 Views

J Offline

J Offline
Jeff Reiffers
wrote on last edited by

#1

Re: content security policy

Is CSP supported in 1.17.1?
1 Reply Last reply
0

Suggested Topics

B

NodeBB 2.8.13 & 3.1.3 Security Releases
Scheduled Pinned Locked Moved NodeBB Development security 2.8.13 3.1.3

4 Votes

1 Posts

69 Views

B

A bug in our socket.io authentication code can result in Cross-Site WebSocket Hijacking (CSWSH)

Affected versions <2.8.13 & <3.1.3

We have resolved this in the latest version of NodeBB(2.8.13 & 3.1.3), and the fix has already been rolled out as a patch on all of our hosted customers.

The fix is included in the latest 2.8.13 & 3.1.3 releases

Release 2.8.13 · NodeBB/NodeBB
Node.js based forum software built for the modern web - Release 2.8.13 · NodeBB/NodeBB
favicon
GitHub (github.com)

Release v3.1.3 · NodeBB/NodeBB
Node.js based forum software built for the modern web - Release v3.1.3 · NodeBB/NodeBB
favicon
GitHub (github.com)
B

NodeBB 2.8.1 Security Update
Scheduled Pinned Locked Moved NodeBB Development security 2.8.1

3 Votes

4 Posts

289 Views

B

It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases.
You can either upgrade to 2.8.1 or only get the changes from the specific commit.
V

CoinAwesome: Using NodeBB for a decentralized content aggregator - Looking for a dev partner
Scheduled Pinned Locked Moved NodeBB Development

0 Votes

17 Posts

6293 Views

P

Maybe a plugin to add the field for coin address? I've seen people add them to their sigs as well, but depends on the theme (ie. Persona doesn't utilize sigs but we will plan on making them kind of like a status update in future)

Cool work BTW 🙂
A

Alter home page API to also get html code in post's content
Scheduled Pinned Locked Moved NodeBB Development

0 Votes

3 Posts

1484 Views

A

@baris thanks a bunch..! 🙂
T

mainPost content strip HTML
Scheduled Pinned Locked Moved NodeBB Development

0 Votes

3 Posts

1189 Views

T

I figured you could do this the same as this category.description = validator.escape(category.description);

When I comment this out, it allows the parsing of HTML in category descriptions.

I would like to do this because if you have plugins such as the YouTube Lite, or a bunch of images, it shows all of that when you have mainPost.content implemented in your template. Looks messy.

Community

Content Security Policy and unsafe-inline

Suggested Topics

NodeBB 2.8.13 & 3.1.3 Security Releases

NodeBB 2.8.1 Security Update

CoinAwesome: Using NodeBB for a decentralized content aggregator - Looking for a dev partner

Alter home page API to also get html code in post's content

mainPost content strip HTML