mirror of
https://github.com/laurent22/joplin.git
synced 2024-12-24 10:27:10 +02:00
All: Security: Prevent XSS by sanitizing certain HTML attributes
This commit is contained in:
parent
ccec93eaa3
commit
9e90d9016d
@ -1 +1 @@
|
||||
<use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'><image href='asdf' onerror='top.require(`child_process`).execSync(`calc.exe`)' /></svg>#x" class="jop-noMdConv">
|
||||
<use href="#" class="jop-noMdConv">
|
1
packages/app-cli/tests/md_to_html/sanitize_16.html
Normal file
1
packages/app-cli/tests/md_to_html/sanitize_16.html
Normal file
@ -0,0 +1 @@
|
||||
<map name="test" class="jop-noMdConv"><area coords="0,0,1000,1000" href="#" class="jop-noMdConv"/></map><img usemap="#test" src="https://github.com/Ry0taK.png" class="jop-noMdConv"/>
|
1
packages/app-cli/tests/md_to_html/sanitize_16.md
Normal file
1
packages/app-cli/tests/md_to_html/sanitize_16.md
Normal file
@ -0,0 +1 @@
|
||||
<map name="test"><area coords="0,0,1000,1000" href="javascript:top.require(`child_process`).execSync(`calc.exe`)"></map><img usemap="#test" src="https://github.com/Ry0taK.png">
|
@ -233,18 +233,18 @@ class HtmlUtils {
|
||||
delete attrs[attrName];
|
||||
}
|
||||
|
||||
if (name === 'a') {
|
||||
// Make sure that only non-acceptable URLs are filtered out.
|
||||
// In particular we want to exclude `javascript:` URLs.
|
||||
if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
|
||||
attrs['href'] = '#';
|
||||
}
|
||||
// Make sure that only non-acceptable URLs are filtered out. In
|
||||
// particular we want to exclude `javascript:` URLs. This
|
||||
// applies to A tags, and also AREA ones but to be safe we don't
|
||||
// filter on the tag name and process all HREF attributes.
|
||||
if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
|
||||
attrs['href'] = '#';
|
||||
}
|
||||
|
||||
// We need to clear any such attribute, otherwise it will
|
||||
// make any arbitrary link open within the application.
|
||||
if ('data-from-md' in attrs) {
|
||||
delete attrs['data-from-md'];
|
||||
}
|
||||
// We need to clear any such attribute, otherwise it will
|
||||
// make any arbitrary link open within the application.
|
||||
if ('data-from-md' in attrs) {
|
||||
delete attrs['data-from-md'];
|
||||
}
|
||||
|
||||
if (options.addNoMdConvClass) {
|
||||
|
Loading…
Reference in New Issue
Block a user