self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-01-11 18:24:43 +02:00
Code Issues Releases Activity

All: Security: Prevent XSS by sanitizing certain HTML attributes

Browse Source
This commit is contained in:
Laurent Cozic 2023-05-19 11:00:31 +01:00
parent ccec93eaa3
commit 9e90d9016d
4 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/app-cli/tests/md_to_html/sanitize_15.html
View File

@ -1 +1 @@
<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv"> <use href="#" class="jop-noMdConv">

1
packages/app-cli/tests/md_to_html/sanitize_16.html Normal file
View File

@ -0,0 +1 @@
<map name="test" class="jop-noMdConv"><area coords="0,0,1000,1000" href="#" class="jop-noMdConv"/></map><img usemap="#test" src="https://github.com/Ry0taK.png" class="jop-noMdConv"/>

1
packages/app-cli/tests/md_to_html/sanitize_16.md Normal file
View File

@ -0,0 +1 @@
<map name="test"><area coords="0,0,1000,1000" href="javascript:top.require(`child_process`).execSync(`calc.exe`)"></map><img usemap="#test" src="https://github.com/Ry0taK.png">

22
packages/renderer/htmlUtils.ts
View File

@ -233,18 +233,18 @@ class HtmlUtils {
delete attrs[attrName]; delete attrs[attrName];
} }
if (name === 'a') { // Make sure that only non-acceptable URLs are filtered out. In
// Make sure that only non-acceptable URLs are filtered out. // particular we want to exclude `javascript:` URLs. This
// In particular we want to exclude `javascript:` URLs. // applies to A tags, and also AREA ones but to be safe we don't
if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) { // filter on the tag name and process all HREF attributes.
attrs['href'] = '#'; if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
} attrs['href'] = '#';
}
// We need to clear any such attribute, otherwise it will // We need to clear any such attribute, otherwise it will
// make any arbitrary link open within the application. // make any arbitrary link open within the application.
if ('data-from-md' in attrs) { if ('data-from-md' in attrs) {
delete attrs['data-from-md']; delete attrs['data-from-md'];
}
} }
if (options.addNoMdConvClass) { if (options.addNoMdConvClass) {