From 57b4198d2c190601beef6af950c38837bfc6c334 Mon Sep 17 00:00:00 2001 From: Laurent Cozic Date: Wed, 14 Jun 2023 16:55:54 +0100 Subject: [PATCH] All: Security: Prevent XSS when passing specially encoded string to a link --- packages/app-cli/tests/md_to_html/sanitize_18.html | 1 + packages/app-cli/tests/md_to_html/sanitize_18.md | 1 + packages/renderer/MdToHtml/linkReplacement.ts | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 packages/app-cli/tests/md_to_html/sanitize_18.html create mode 100644 packages/app-cli/tests/md_to_html/sanitize_18.md diff --git a/packages/app-cli/tests/md_to_html/sanitize_18.html b/packages/app-cli/tests/md_to_html/sanitize_18.html new file mode 100644 index 000000000..6af03f009 --- /dev/null +++ b/packages/app-cli/tests/md_to_html/sanitize_18.html @@ -0,0 +1 @@ +xxxxx \ No newline at end of file diff --git a/packages/app-cli/tests/md_to_html/sanitize_18.md b/packages/app-cli/tests/md_to_html/sanitize_18.md new file mode 100644 index 000000000..ef449f36a --- /dev/null +++ b/packages/app-cli/tests/md_to_html/sanitize_18.md @@ -0,0 +1 @@ +[xxxxx](","a");top.require('child_process').exec('open /System/Applications/Calculator.app');// '