Desktop: Sanitize rendered output in safe mode (#8507)

2024-12-21 09:38:01 +02:00 · 2023-07-19 05:09:03 -07:00 · 2023-07-19 05:09:03 -07:00 · 955f724d36
commit 955f724d36
parent 6cf0ed6166
4 changed files with 21 additions and 3 deletions
--- a/.eslintignore
+++ b/.eslintignore
@ -92,6 +92,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
 packages/app-cli/app/setupCommand.js
 packages/app-cli/app/utils/testUtils.js
 packages/app-cli/tests/HtmlToMd.js
 packages/app-cli/tests/MarkupToHtml.js
 packages/app-cli/tests/MdToHtml.js
 packages/app-cli/tests/services/keychain/KeychainService.js
 packages/app-cli/tests/services/plugins/PluginService.js
--- a/.gitignore
+++ b/.gitignore
@ -77,6 +77,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
 packages/app-cli/app/setupCommand.js
 packages/app-cli/app/utils/testUtils.js
 packages/app-cli/tests/HtmlToMd.js
 packages/app-cli/tests/MarkupToHtml.js
 packages/app-cli/tests/MdToHtml.js
 packages/app-cli/tests/services/keychain/KeychainService.js
 packages/app-cli/tests/services/plugins/PluginService.js
--- a/packages/app-cli/tests/MarkupToHtml.ts
+++ b/packages/app-cli/tests/MarkupToHtml.ts
@ -1,5 +1,5 @@
-const MarkupToHtml = require('@joplin/renderer/MarkupToHtml').default;
+import MarkupToHtml, { MarkupLanguage, RenderResult } from '@joplin/renderer/MarkupToHtml';
 describe('MarkupToHtml', () => {
@ -31,7 +31,7 @@ describe('MarkupToHtml', () => {
 				const input = t[0];
 				const expected = t[1];
 				const actual = service.stripMarkup(Number(markup), input);
-				expect(actual).toBe(expected, `Markup: ${markup}`);
+				expect(actual).toBe(expected);
 			}
 		}
@ -40,4 +40,18 @@ describe('MarkupToHtml', () => {
 		expect(service.stripMarkup(1, 'one line\n    two line', { collapseWhiteSpaces: true })).toBe('one line two line');
 	}));
 	test('should escape HTML in safe mode', async () => {
 		const service = new MarkupToHtml({ isSafeMode: true });
 		const testString = '</pre>.<b>Test</b>';
 		const expectedOutput: RenderResult = {
 			html: '<pre>&lt;/pre&gt;.&lt;b&gt;Test&lt;/b&gt;</pre>',
 			cssStrings: [],
 			pluginAssets: [],
 		};
 		expect(await service.render(MarkupLanguage.Html, testString, {}, {})).toMatchObject(expectedOutput);
 		expect(await service.render(MarkupLanguage.Markdown, testString, {}, {})).toMatchObject(expectedOutput);
 	});
 });
--- a/packages/renderer/MarkupToHtml.ts
+++ b/packages/renderer/MarkupToHtml.ts
@ -2,6 +2,7 @@ import MdToHtml from './MdToHtml';
 import HtmlToHtml from './HtmlToHtml';
 import htmlUtils from './htmlUtils';
 import { Options as NoteStyleOptions } from './noteStyle';
 import { AllHtmlEntities } from 'html-entities';
 const MarkdownIt = require('markdown-it');
 export enum MarkupLanguage {
@ -113,8 +114,9 @@ export default class MarkupToHtml {
 	public async render(markupLanguage: MarkupLanguage, markup: string, theme: any, options: any): Promise<RenderResult> {
 		if (this.options_.isSafeMode) {
 			const htmlentities = new AllHtmlEntities();
 			return {
-				html: `<pre>${markup}</pre>`,
+				html: `<pre>${htmlentities.encode(markup)}</pre>`,
 				cssStrings: [],
 				pluginAssets: [],
 			};