From 955f724d364b795032eb9539f0bfc86e1390ec7e Mon Sep 17 00:00:00 2001
From: Henry Heino <46334387+personalizedrefrigerator@users.noreply.github.com>
Date: Wed, 19 Jul 2023 05:09:03 -0700
Subject: [PATCH] Desktop: Sanitize rendered output in safe mode (#8507)
---
.eslintignore | 1 +
.gitignore | 1 +
.../tests/{MarkupToHtml.js => MarkupToHtml.ts} | 18 ++++++++++++++++--
packages/renderer/MarkupToHtml.ts | 4 +++-
4 files changed, 21 insertions(+), 3 deletions(-)
rename packages/app-cli/tests/{MarkupToHtml.js => MarkupToHtml.ts} (67%)
diff --git a/.eslintignore b/.eslintignore
index b28d3ac87..491ad1379 100644
--- a/.eslintignore
+++ b/.eslintignore
@@ -92,6 +92,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
packages/app-cli/app/setupCommand.js
packages/app-cli/app/utils/testUtils.js
packages/app-cli/tests/HtmlToMd.js
+packages/app-cli/tests/MarkupToHtml.js
packages/app-cli/tests/MdToHtml.js
packages/app-cli/tests/services/keychain/KeychainService.js
packages/app-cli/tests/services/plugins/PluginService.js
diff --git a/.gitignore b/.gitignore
index e703270f7..dfeb865ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,6 +77,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
packages/app-cli/app/setupCommand.js
packages/app-cli/app/utils/testUtils.js
packages/app-cli/tests/HtmlToMd.js
+packages/app-cli/tests/MarkupToHtml.js
packages/app-cli/tests/MdToHtml.js
packages/app-cli/tests/services/keychain/KeychainService.js
packages/app-cli/tests/services/plugins/PluginService.js
diff --git a/packages/app-cli/tests/MarkupToHtml.js b/packages/app-cli/tests/MarkupToHtml.ts
similarity index 67%
rename from packages/app-cli/tests/MarkupToHtml.js
rename to packages/app-cli/tests/MarkupToHtml.ts
index bb1037ebf..273394e3b 100644
--- a/packages/app-cli/tests/MarkupToHtml.js
+++ b/packages/app-cli/tests/MarkupToHtml.ts
@@ -1,5 +1,5 @@
-const MarkupToHtml = require('@joplin/renderer/MarkupToHtml').default;
+import MarkupToHtml, { MarkupLanguage, RenderResult } from '@joplin/renderer/MarkupToHtml';
describe('MarkupToHtml', () => {
@@ -31,7 +31,7 @@ describe('MarkupToHtml', () => {
const input = t[0];
const expected = t[1];
const actual = service.stripMarkup(Number(markup), input);
- expect(actual).toBe(expected, `Markup: ${markup}`);
+ expect(actual).toBe(expected);
}
}
@@ -40,4 +40,18 @@ describe('MarkupToHtml', () => {
expect(service.stripMarkup(1, 'one line\n two line', { collapseWhiteSpaces: true })).toBe('one line two line');
}));
+
+ test('should escape HTML in safe mode', async () => {
+ const service = new MarkupToHtml({ isSafeMode: true });
+
+ const testString = '.Test';
+ const expectedOutput: RenderResult = {
+ html: '</pre>.<b>Test</b>
',
+ cssStrings: [],
+ pluginAssets: [],
+ };
+
+ expect(await service.render(MarkupLanguage.Html, testString, {}, {})).toMatchObject(expectedOutput);
+ expect(await service.render(MarkupLanguage.Markdown, testString, {}, {})).toMatchObject(expectedOutput);
+ });
});
diff --git a/packages/renderer/MarkupToHtml.ts b/packages/renderer/MarkupToHtml.ts
index 26c33595b..bd03bb4b8 100644
--- a/packages/renderer/MarkupToHtml.ts
+++ b/packages/renderer/MarkupToHtml.ts
@@ -2,6 +2,7 @@ import MdToHtml from './MdToHtml';
import HtmlToHtml from './HtmlToHtml';
import htmlUtils from './htmlUtils';
import { Options as NoteStyleOptions } from './noteStyle';
+import { AllHtmlEntities } from 'html-entities';
const MarkdownIt = require('markdown-it');
export enum MarkupLanguage {
@@ -113,8 +114,9 @@ export default class MarkupToHtml {
public async render(markupLanguage: MarkupLanguage, markup: string, theme: any, options: any): Promise {
if (this.options_.isSafeMode) {
+ const htmlentities = new AllHtmlEntities();
return {
- html: `${markup}`,
+ html: `${htmlentities.encode(markup)}`,
cssStrings: [],
pluginAssets: [],
};