self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-11-26 22:41:17 +02:00
Code Issues Releases Activity

Desktop: Security: Fixes #6004: Prevent XSS in Goto Anything

Browse Source
This commit is contained in:
Laurent Cozic
2022-01-15 16:53:24 +00:00
parent e0bfa0dbe6
commit 810018b41f
6 changed files with 49 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
packages/renderer/htmlUtils.ts
View File

@@ -97,8 +97,7 @@ class HtmlUtils {
return selfClosingElements.includes(tagName.toLowerCase());
}
// TODO: copied from @joplin/lib
stripHtml(html: string) {
public stripHtml(html: string) {
const output: string[] = [];
const tagStack: string[] = [];
@@ -130,7 +129,14 @@ class HtmlUtils {
parser.write(html);
parser.end();
return output.join('').replace(/\s+/g, ' ');
// In general, we want to get back plain text from this function, so all
// HTML entities are decoded. Howver, to prevent XSS attacks, we
// re-encode all the "<" characters, which should break any attempt to
// inject HTML tags.
return output.join('')
.replace(/\s+/g, ' ')
.replace(/</g, '&lt;');
}
public sanitizeHtml(html: string, options: any = null) {