self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-11-23 22:36:32 +02:00
Code Issues Releases Activity

Security: Fixed disallowed tag XSS

Browse Source
This commit is contained in:
Laurent Cozic
2022-04-25 17:17:54 +01:00
parent d9a4a9cb30
commit 774c20772b
3 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
packages/app-cli/tests/md_to_html/sanitize_11.html Normal file
View File

1
packages/app-cli/tests/md_to_html/sanitize_11.md Normal file
View File

@@ -0,0 +1 @@
<iframe src=""><svg><style><img src="" onerror=this.onerror=confirm('vulnerable_to_XSS')

21
packages/renderer/htmlUtils.ts
View File

@@ -155,6 +155,11 @@ class HtmlUtils {
return tagStack[tagStack.length - 1];
};
// When we encounter a disallowed tag, all the other tags within it are
// going to be skipped too. This is necessary to prevent certain XSS
// attacks. See sanitize_11.md
let disallowedTagDepth = 0;
// The BASE tag allows changing the base URL from which files are
// loaded, and that can break several plugins, such as Katex (which
// needs to load CSS files using a relative URL). For that reason
@@ -164,14 +169,20 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript', 'button', 'form', 'input', 'select', 'textarea', 'option', 'optgroup'];
const disallowedTags = [
'script', 'iframe', 'frameset', 'frame', 'object', 'base',
'embed', 'link', 'meta', 'noscript', 'button', 'form',
'input', 'select', 'textarea', 'option', 'optgroup',
];
const parser = new htmlparser2.Parser({
onopentag: (name: string, attrs: any) => {
tagStack.push(name.toLowerCase());
if (disallowedTags.includes(currentTag())) return;
if (disallowedTags.includes(currentTag())) disallowedTagDepth++;
if (disallowedTagDepth) return;
attrs = Object.assign({}, attrs);
@@ -214,7 +225,7 @@ class HtmlUtils {
},
ontext: (decodedText: string) => {
if (disallowedTags.includes(currentTag())) return;
if (disallowedTagDepth) return;
if (currentTag() === 'style') {
// For CSS, we have to put the style as-is inside the tag because if we html-entities encode
@@ -231,7 +242,9 @@ class HtmlUtils {
if (current === name.toLowerCase()) tagStack.pop();
if (disallowedTags.includes(current)) return;
if (disallowedTags.includes(current)) disallowedTagDepth--;
if (disallowedTagDepth) return;
if (this.isSelfClosingTag(name)) return;
output.push(`</${name}>`);