self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-24 10:27:10 +02:00
Code Issues Releases Activity

All: Security: Filter out NOSCRIPT tags that could be used to cause an XSS (thanks to Jubair Rehman for the PoC)

Browse Source
This commit is contained in:
Laurent Cozic 2021-05-10 11:22:12 +02:00
parent bb77d7171a
commit 9c20d5947d
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/renderer/htmlUtils.ts
View File

@ -133,7 +133,7 @@ class HtmlUtils {
return output.join('').replace(/\s+/g, ' ');
}
sanitizeHtml(html: string, options: any = null) {
public sanitizeHtml(html: string, options: any = null) {
options = Object.assign({}, {
// If true, adds a "jop-noMdConv" class to all the tags.
// It can be used afterwards to restore HTML tags in Markdown.
@ -158,7 +158,7 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta'];
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];
const parser = new htmlparser2.Parser({