1
0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-24 10:27:10 +02:00

All: Security: Prevent XSS when passing specially encoded string to a link

This commit is contained in:
Laurent Cozic 2023-06-14 16:55:54 +01:00
parent 2078fa4e40
commit 57b4198d2c
3 changed files with 3 additions and 1 deletions

View File

@ -0,0 +1 @@
<a data-from-md title='&lt;style&gt;' href='&amp;#x22&amp;#x2c&amp;#x22&amp;#x61&amp;#x22&amp;#x29&amp;#x3b&amp;#x74&amp;#x6f&amp;#x70&amp;#x2e&amp;#x72&amp;#x65&amp;#x71&amp;#x75&amp;#x69&amp;#x72&amp;#x65&amp;#x28&amp;#x27&amp;#x63&amp;#x68&amp;#x69&amp;#x6c&amp;#x64&amp;#x5f&amp;#x70&amp;#x72&amp;#x6f&amp;#x63&amp;#x65&amp;#x73&amp;#x73&amp;#x27&amp;#x29&amp;#x2e&amp;#x65&amp;#x78&amp;#x65&amp;#x63&amp;#x28&amp;#x27&amp;#x6f&amp;#x70&amp;#x65&amp;#x6e&amp;#x20&amp;#x2f&amp;#x53&amp;#x79&amp;#x73&amp;#x74&amp;#x65&amp;#x6d&amp;#x2f&amp;#x41&amp;#x70&amp;#x70&amp;#x6c&amp;#x69&amp;#x63&amp;#x61&amp;#x74&amp;#x69&amp;#x6f&amp;#x6e&amp;#x73&amp;#x2f&amp;#x43&amp;#x61&amp;#x6c&amp;#x63&amp;#x75&amp;#x6c&amp;#x61&amp;#x74&amp;#x6f&amp;#x72&amp;#x2e&amp;#x61&amp;#x70&amp;#x70&amp;#x27&amp;#x29&amp;#x3b&amp;#x2f&amp;#x2f' onclick='postMessage(&quot;&amp;#x22&amp;#x2c&amp;#x22&amp;#x61&amp;#x22&amp;#x29&amp;#x3b&amp;#x74&amp;#x6f&amp;#x70&amp;#x2e&amp;#x72&amp;#x65&amp;#x71&amp;#x75&amp;#x69&amp;#x72&amp;#x65&amp;#x28&amp;#x27&amp;#x63&amp;#x68&amp;#x69&amp;#x6c&amp;#x64&amp;#x5f&amp;#x70&amp;#x72&amp;#x6f&amp;#x63&amp;#x65&amp;#x73&amp;#x73&amp;#x27&amp;#x29&amp;#x2e&amp;#x65&amp;#x78&amp;#x65&amp;#x63&amp;#x28&amp;#x27&amp;#x6f&amp;#x70&amp;#x65&amp;#x6e&amp;#x20&amp;#x2f&amp;#x53&amp;#x79&amp;#x73&amp;#x74&amp;#x65&amp;#x6d&amp;#x2f&amp;#x41&amp;#x70&amp;#x70&amp;#x6c&amp;#x69&amp;#x63&amp;#x61&amp;#x74&amp;#x69&amp;#x6f&amp;#x6e&amp;#x73&amp;#x2f&amp;#x43&amp;#x61&amp;#x6c&amp;#x63&amp;#x75&amp;#x6c&amp;#x61&amp;#x74&amp;#x6f&amp;#x72&amp;#x2e&amp;#x61&amp;#x70&amp;#x70&amp;#x27&amp;#x29&amp;#x3b&amp;#x2f&amp;#x2f&quot;, { resourceId: &quot;&quot; }); return false;'>xxxxx</a>

View File

@ -0,0 +1 @@
[xxxxx](&#x22&#x2c&#x22&#x61&#x22&#x29&#x3b&#x74&#x6f&#x70&#x2e&#x72&#x65&#x71&#x75&#x69&#x72&#x65&#x28&#x27&#x63&#x68&#x69&#x6c&#x64&#x5f&#x70&#x72&#x6f&#x63&#x65&#x73&#x73&#x27&#x29&#x2e&#x65&#x78&#x65&#x63&#x28&#x27&#x6f&#x70&#x65&#x6e&#x20&#x2f&#x53&#x79&#x73&#x74&#x65&#x6d&#x2f&#x41&#x70&#x70&#x6c&#x69&#x63&#x61&#x74&#x69&#x6f&#x6e&#x73&#x2f&#x43&#x61&#x6c&#x63&#x75&#x6c&#x61&#x74&#x6f&#x72&#x2e&#x61&#x70&#x70&#x27&#x29&#x3b&#x2f&#x2f '<style>')

View File

@ -99,7 +99,7 @@ export default function(href: string, options: Options = null): LinkReplacementR
postMessageSyntax: options.postMessageSyntax ?? 'void',
}, onClick);
} else {
js = `onclick='${js}'`;
js = `onclick='${htmlentities(js)}'`;
}
if (hrefAttr.indexOf('#') === 0 && href.indexOf('#') === 0) js = ''; // If it's an internal anchor, don't add any JS since the webview is going to handle navigating to the right place