self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-01-26 18:58:21 +02:00
Code Issues Releases Activity

All: Security: Fixes #3143: Filter SVG element event attributes to prevent XSS vulnerability

Browse Source
This commit is contained in:
Laurent Cozic 2020-05-10 16:51:15 +01:00
parent 6446a3c4de
commit 41edae9719
2 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ElectronClient/package.json
View File

@ -45,10 +45,12 @@
] ]
} }
], ],
"extraFiles": [{ "extraFiles": [
"from": "build-win/Joplin.VisualElementsManifest.xml", {
"to": "." "from": "build-win/Joplin.VisualElementsManifest.xml",
}], "to": "."
}
],
"extraResources": [ "extraResources": [
"build-win/icons/*" "build-win/icons/*"
] ]

17
ReactNativeClient/lib/joplin-renderer/htmlUtils.js
View File

@ -4,7 +4,6 @@ const htmlentities = new Entities().encode;
// [\s\S] instead of . for multiline matching // [\s\S] instead of . for multiline matching
// https://stackoverflow.com/a/16119722/561309 // https://stackoverflow.com/a/16119722/561309
const imageRegex = /<img([\s\S]*?)src=["']([\s\S]*?)["']([\s\S]*?)>/gi; const imageRegex = /<img([\s\S]*?)src=["']([\s\S]*?)["']([\s\S]*?)>/gi;
const JS_EVENT_NAMES = ['onabort', 'onafterprint', 'onbeforeprint', 'onbeforeunload', 'onblur', 'oncanplay', 'oncanplaythrough', 'onchange', 'onclick', 'oncontextmenu', 'oncopy', 'oncuechange', 'oncut', 'ondblclick', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'ondurationchange', 'onemptied', 'onended', 'onerror', 'onfocus', 'onhashchange', 'oninput', 'oninvalid', 'onkeydown', 'onkeypress', 'onkeyup', 'onload', 'onloadeddata', 'onloadedmetadata', 'onloadstart', 'onmessage', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onoffline', 'ononline', 'onpagehide', 'onpageshow', 'onpaste', 'onpause', 'onplay', 'onplaying', 'onpopstate', 'onprogress', 'onratechange', 'onreset', 'onresize', 'onscroll', 'onsearch', 'onseeked', 'onseeking', 'onselect', 'onstalled', 'onstorage', 'onsubmit', 'onsuspend', 'ontimeupdate', 'ontoggle', 'onunload', 'onvolumechange', 'onwaiting', 'onwheel'];
const selfClosingElements = [ const selfClosingElements = [
'area', 'area',
@ -102,8 +101,20 @@ class HtmlUtils {
if (disallowedTags.includes(currentTag())) return; if (disallowedTags.includes(currentTag())) return;
attrs = Object.assign({}, attrs); attrs = Object.assign({}, attrs);
for (const eventName of JS_EVENT_NAMES) {
delete attrs[eventName]; // Remove all the attributes that start with "on", which
// normally should be JavaScript events. A better solution
// would be to blacklist known events only but it seems the
// list is not well defined [0] and we don't want any to slip
// throught the cracks. A side effect of this change is a
// regular harmless attribute that starts with "on" will also
// be removed.
// 0: https://developer.mozilla.org/en-US/docs/Web/Events
for (const name in attrs) {
if (!attrs.hasOwnProperty(name)) continue;
if (name.length <= 2) continue;
if (name.toLowerCase().substr(0, 2) !== 'on') continue;
delete attrs[name];
} }
if (options.addNoMdConvClass) { if (options.addNoMdConvClass) {