1
0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-21 09:38:01 +02:00

Desktop: Sanitize rendered output in safe mode (#8507)

This commit is contained in:
Henry Heino 2023-07-19 05:09:03 -07:00 committed by GitHub
parent 6cf0ed6166
commit 955f724d36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 3 deletions

View File

@ -92,6 +92,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
packages/app-cli/app/setupCommand.js packages/app-cli/app/setupCommand.js
packages/app-cli/app/utils/testUtils.js packages/app-cli/app/utils/testUtils.js
packages/app-cli/tests/HtmlToMd.js packages/app-cli/tests/HtmlToMd.js
packages/app-cli/tests/MarkupToHtml.js
packages/app-cli/tests/MdToHtml.js packages/app-cli/tests/MdToHtml.js
packages/app-cli/tests/services/keychain/KeychainService.js packages/app-cli/tests/services/keychain/KeychainService.js
packages/app-cli/tests/services/plugins/PluginService.js packages/app-cli/tests/services/plugins/PluginService.js

1
.gitignore vendored
View File

@ -77,6 +77,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
packages/app-cli/app/setupCommand.js packages/app-cli/app/setupCommand.js
packages/app-cli/app/utils/testUtils.js packages/app-cli/app/utils/testUtils.js
packages/app-cli/tests/HtmlToMd.js packages/app-cli/tests/HtmlToMd.js
packages/app-cli/tests/MarkupToHtml.js
packages/app-cli/tests/MdToHtml.js packages/app-cli/tests/MdToHtml.js
packages/app-cli/tests/services/keychain/KeychainService.js packages/app-cli/tests/services/keychain/KeychainService.js
packages/app-cli/tests/services/plugins/PluginService.js packages/app-cli/tests/services/plugins/PluginService.js

View File

@ -1,5 +1,5 @@
const MarkupToHtml = require('@joplin/renderer/MarkupToHtml').default; import MarkupToHtml, { MarkupLanguage, RenderResult } from '@joplin/renderer/MarkupToHtml';
describe('MarkupToHtml', () => { describe('MarkupToHtml', () => {
@ -31,7 +31,7 @@ describe('MarkupToHtml', () => {
const input = t[0]; const input = t[0];
const expected = t[1]; const expected = t[1];
const actual = service.stripMarkup(Number(markup), input); const actual = service.stripMarkup(Number(markup), input);
expect(actual).toBe(expected, `Markup: ${markup}`); expect(actual).toBe(expected);
} }
} }
@ -40,4 +40,18 @@ describe('MarkupToHtml', () => {
expect(service.stripMarkup(1, 'one line\n two line', { collapseWhiteSpaces: true })).toBe('one line two line'); expect(service.stripMarkup(1, 'one line\n two line', { collapseWhiteSpaces: true })).toBe('one line two line');
})); }));
test('should escape HTML in safe mode', async () => {
const service = new MarkupToHtml({ isSafeMode: true });
const testString = '</pre>.<b>Test</b>';
const expectedOutput: RenderResult = {
html: '<pre>&lt;/pre&gt;.&lt;b&gt;Test&lt;/b&gt;</pre>',
cssStrings: [],
pluginAssets: [],
};
expect(await service.render(MarkupLanguage.Html, testString, {}, {})).toMatchObject(expectedOutput);
expect(await service.render(MarkupLanguage.Markdown, testString, {}, {})).toMatchObject(expectedOutput);
});
}); });

View File

@ -2,6 +2,7 @@ import MdToHtml from './MdToHtml';
import HtmlToHtml from './HtmlToHtml'; import HtmlToHtml from './HtmlToHtml';
import htmlUtils from './htmlUtils'; import htmlUtils from './htmlUtils';
import { Options as NoteStyleOptions } from './noteStyle'; import { Options as NoteStyleOptions } from './noteStyle';
import { AllHtmlEntities } from 'html-entities';
const MarkdownIt = require('markdown-it'); const MarkdownIt = require('markdown-it');
export enum MarkupLanguage { export enum MarkupLanguage {
@ -113,8 +114,9 @@ export default class MarkupToHtml {
public async render(markupLanguage: MarkupLanguage, markup: string, theme: any, options: any): Promise<RenderResult> { public async render(markupLanguage: MarkupLanguage, markup: string, theme: any, options: any): Promise<RenderResult> {
if (this.options_.isSafeMode) { if (this.options_.isSafeMode) {
const htmlentities = new AllHtmlEntities();
return { return {
html: `<pre>${markup}</pre>`, html: `<pre>${htmlentities.encode(markup)}</pre>`,
cssStrings: [], cssStrings: [],
pluginAssets: [], pluginAssets: [],
}; };