fix: #9636, sanitize all attributes in meta and link tags

public/src/modules/helpers.js

@@ -68,13 +68,8 @@
 	}
 
 	function buildLinkTag(tag) {
-		var link = tag.link ? 'link="' + tag.link + '" ' : '';
-		var rel = tag.rel ? 'rel="' + tag.rel + '" ' : '';
-		var as = tag.as ? 'as="' + tag.as + '" ' : '';
-		var type = tag.type ? 'type="' + tag.type + '" ' : '';
-		var href = tag.href ? 'href="' + tag.href + '" ' : '';
-		var sizes = tag.sizes ? 'sizes="' + tag.sizes + '" ' : '';
-		var title = tag.title ? 'title="' + tag.title + '" ' : '';
+		const attributes = ['link', 'rel', 'as', 'type', 'href', 'sizes', 'title'];
+		const [link, rel, as, type, href, sizes, title] = attributes.map(attr => (tag[attr] ? `${attr}="${tag[attr]}" ` : ''));
 
 		return '<link ' + link + rel + as + type + sizes + title + href + '/>\n\t';
 	}

src/meta/tags.js

@@ -154,7 +154,10 @@ Tags.parse = async (req, data, meta, link) => {
 		}
 
 		if (!tag.noEscape) {
-			tag.content = utils.escapeHTML(String(tag.content));
+			const attributes = Object.keys(tag);
+			attributes.forEach((attr) => {
+				tag[attr] = utils.escapeHTML(String(tag[attr]));
+			});
 		}
 
 		return tag;
@@ -168,12 +171,18 @@ Tags.parse = async (req, data, meta, link) => {
 	addIfNotExists(meta, 'name', 'description', Meta.config.description);
 	addIfNotExists(meta, 'property', 'og:description', Meta.config.description);
 
-	link = results.links.links.concat(link || []);
+	link = results.links.links.concat(link || []).map((tag) => {
+		if (!tag.noEscape) {
+			const attributes = Object.keys(tag);
+			attributes.forEach((attr) => {
+				tag[attr] = utils.escapeHTML(String(tag[attr]));
+			});
+		}
 
-	return {
-		meta: meta,
-		link: link,
-	};
+		return tag;
+	});
+
+	return { meta, link };
 };
 
 function addIfNotExists(meta, keyName, tagName, value) {