Merge pull request from GHSA-m59c-9rrj-c399

* Sanitize HTML in processPastedHtml

* Add test

.eslintignore

@@ -254,6 +254,7 @@ packages/app-desktop/gui/NoteEditor/utils/contextMenu.js
 packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
 packages/app-desktop/gui/NoteEditor/utils/index.js
 packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
+packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.js
 packages/app-desktop/gui/NoteEditor/utils/types.js
 packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
 packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js

.gitignore

@@ -239,6 +239,7 @@ packages/app-desktop/gui/NoteEditor/utils/contextMenu.js
 packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
 packages/app-desktop/gui/NoteEditor/utils/index.js
 packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
+packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.js
 packages/app-desktop/gui/NoteEditor/utils/types.js
 packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
 packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js

packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.ts

@@ -0,0 +1,20 @@
+import { processPastedHtml } from './resourceHandling';
+
+describe('resourceHandling', () => {
+	it('should sanitize pasted HTML', async () => {
+		const testCases = [
+			['Test: <style onload="evil()"></style>', 'Test: <style></style>'],
+			['<a href="javascript: alert()">test</a>', '<a href="#">test</a>'],
+			['<script >evil()</script>', ''],
+			['<script>evil()</script>', ''],
+			[
+				'<img onload="document.body.innerHTML = evil;" src="data:image/svg+xml;base64,=="/>',
+				'<img src="data:image/svg+xml;base64,=="/>',
+			],
+		];
+
+		for (const [html, expected] of testCases) {
+			expect(await processPastedHtml(html)).toBe(expected);
+		}
+	});
+});

packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts

@@ -6,6 +6,7 @@ import Resource from '@joplin/lib/models/Resource';
 const bridge = require('@electron/remote').require('./bridge').default;
 import ResourceFetcher from '@joplin/lib/services/ResourceFetcher';
 import htmlUtils from '@joplin/lib/htmlUtils';
+import rendererHtmlUtils from '@joplin/renderer/htmlUtils';
 import Logger from '@joplin/lib/Logger';
 const { fileUriToPath } = require('@joplin/lib/urlUtils');
 const joplinRendererUtils = require('@joplin/renderer').utils;
@@ -173,7 +174,9 @@ export async function processPastedHtml(html: string) {
 		}
 	}
 
-	return htmlUtils.replaceImageUrls(html, (src: string) => {
-		return mappedResources[src];
-	});
+	return rendererHtmlUtils.sanitizeHtml(
+		htmlUtils.replaceImageUrls(html, (src: string) => {
+			return mappedResources[src];
+		})
+	);
 }

packages/app-desktop/jest.config.js

@@ -116,7 +116,7 @@ module.exports = {
 	// setupFiles: [],
 
 	// A list of paths to modules that run some code to configure or set up the testing framework before each test
-	// setupFilesAfterEnv: [],
+	setupFilesAfterEnv: [`${__dirname}/jest.setup.js`],
 
 	// The number of seconds after which a test is considered as slow and reported as such in the results.
 	// slowTestThreshold: 5,

packages/app-desktop/jest.setup.js

@@ -0,0 +1,19 @@
+
+const { default: Logger, TargetType } = require('@joplin/lib/Logger');
+
+// TODO: Some libraries required by test-utils.js seem to fail to import with the
+// jsdom environment.
+//
+// Thus, require('@joplin/lib/testing/test-utils.js') fails and some setup must be
+// copied.
+
+const logger = new Logger();
+logger.addTarget(TargetType.Console);
+logger.setLevel(Logger.LEVEL_WARN);
+Logger.initializeGlobalLogger(logger);
+
+
+// @electron/remote requires electron to be running. Mock it.
+jest.mock('@electron/remote', () => {
+	return { require };
+});