Escape conferences user input

[josepjaume]

🎩 What? Why?

This escapes some user input fields on the conferences module that weren't properly escaped.

Note: As it turns out, cells are not escaped by default. Maybe we should consider adding the Escaped module sometime.

📌 Related Issues

None

Testing

Add "><h1><font color=red>XSS_Conference_title</font></h1><img src=x onerror=alert(1)> as an user input on a conference, and check out a related activity on your profile. You should see the title escaped.

📋 Checklist

🚨 Please review the guidelines for contributing to this repository.

• ❓ CONSIDER adding a unit test if your PR resolves an issue.
• ✔️ DO check open PR's to avoid duplicates.
• ✔️ DO keep pull requests small so they can be easily reviewed.
• ✔️ DO build locally before pushing.
• ✔️ DO make sure tests pass.
• ✔️ DO make sure any new changes are documented in docs/.
• ✔️ DO add and modify seeds if necessary.
• ✔️ DO add CHANGELOG upgrade notes if required.
• ✔️ DO add to GraphQL API if there are new public fields.
• ✔️ DO add link to MetaDecidim if it's a new feature.
• ❌AVOID breaking the continuous integration build.
• ❌AVOID making significant changes to the overall architecture.

📷 Screenshots

None

[andreslucena]

Hi @josepjaume, glad to see you again here :D

As far as I'm aware when you say "user" you're referring to Administrators, right?

Maybe we should consider adding the Escaped module sometime.

That'd be great!

On the other hand, we prefer to be not so transparent on explaining publicly how to exploit current unsolved vulnerabilities. We have a Security Policy for these cases.

Thanks for the PR!

[andreslucena]

I can confirm the exploit and the fix locally.

[ivan-mr]

Oh!, that's a great solution to fix this issue. But can you create some test for the modified view and cell, please?
Thanks in advance @josepjaume

[ivan-mr]

Now I see all checks have passed. Thanks @josepjaume and good job!

[josepjaume]

Thanks @ivan-mr! I was about to write the tests for this, but they looked a bit too specific to me. Maybe we should find a way to ensure things get properly escaped in all cells?