mirror of
https://github.com/laurent22/joplin.git
synced 2024-12-21 09:38:01 +02:00
Merge pull request from GHSA-m59c-9rrj-c399
* Sanitize HTML in processPastedHtml * Add test
This commit is contained in:
parent
b9659bb9c1
commit
a0ec928fca
@ -254,6 +254,7 @@ packages/app-desktop/gui/NoteEditor/utils/contextMenu.js
|
|||||||
packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
|
packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/index.js
|
packages/app-desktop/gui/NoteEditor/utils/index.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
|
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
|
||||||
|
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/types.js
|
packages/app-desktop/gui/NoteEditor/utils/types.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
|
packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js
|
packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js
|
||||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -239,6 +239,7 @@ packages/app-desktop/gui/NoteEditor/utils/contextMenu.js
|
|||||||
packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
|
packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/index.js
|
packages/app-desktop/gui/NoteEditor/utils/index.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
|
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.js
|
||||||
|
packages/app-desktop/gui/NoteEditor/utils/resourceHandling.test.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/types.js
|
packages/app-desktop/gui/NoteEditor/utils/types.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
|
packages/app-desktop/gui/NoteEditor/utils/useDropHandler.js
|
||||||
packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js
|
packages/app-desktop/gui/NoteEditor/utils/useEffectiveNoteId.js
|
||||||
|
@ -0,0 +1,20 @@
|
|||||||
|
import { processPastedHtml } from './resourceHandling';
|
||||||
|
|
||||||
|
describe('resourceHandling', () => {
|
||||||
|
it('should sanitize pasted HTML', async () => {
|
||||||
|
const testCases = [
|
||||||
|
['Test: <style onload="evil()"></style>', 'Test: <style></style>'],
|
||||||
|
['<a href="javascript: alert()">test</a>', '<a href="#">test</a>'],
|
||||||
|
['<script >evil()</script>', ''],
|
||||||
|
['<script>evil()</script>', ''],
|
||||||
|
[
|
||||||
|
'<img onload="document.body.innerHTML = evil;" src="data:image/svg+xml;base64,=="/>',
|
||||||
|
'<img src="data:image/svg+xml;base64,=="/>',
|
||||||
|
],
|
||||||
|
];
|
||||||
|
|
||||||
|
for (const [html, expected] of testCases) {
|
||||||
|
expect(await processPastedHtml(html)).toBe(expected);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
@ -6,6 +6,7 @@ import Resource from '@joplin/lib/models/Resource';
|
|||||||
const bridge = require('@electron/remote').require('./bridge').default;
|
const bridge = require('@electron/remote').require('./bridge').default;
|
||||||
import ResourceFetcher from '@joplin/lib/services/ResourceFetcher';
|
import ResourceFetcher from '@joplin/lib/services/ResourceFetcher';
|
||||||
import htmlUtils from '@joplin/lib/htmlUtils';
|
import htmlUtils from '@joplin/lib/htmlUtils';
|
||||||
|
import rendererHtmlUtils from '@joplin/renderer/htmlUtils';
|
||||||
import Logger from '@joplin/lib/Logger';
|
import Logger from '@joplin/lib/Logger';
|
||||||
const { fileUriToPath } = require('@joplin/lib/urlUtils');
|
const { fileUriToPath } = require('@joplin/lib/urlUtils');
|
||||||
const joplinRendererUtils = require('@joplin/renderer').utils;
|
const joplinRendererUtils = require('@joplin/renderer').utils;
|
||||||
@ -173,7 +174,9 @@ export async function processPastedHtml(html: string) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return htmlUtils.replaceImageUrls(html, (src: string) => {
|
return rendererHtmlUtils.sanitizeHtml(
|
||||||
return mappedResources[src];
|
htmlUtils.replaceImageUrls(html, (src: string) => {
|
||||||
});
|
return mappedResources[src];
|
||||||
|
})
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
@ -116,7 +116,7 @@ module.exports = {
|
|||||||
// setupFiles: [],
|
// setupFiles: [],
|
||||||
|
|
||||||
// A list of paths to modules that run some code to configure or set up the testing framework before each test
|
// A list of paths to modules that run some code to configure or set up the testing framework before each test
|
||||||
// setupFilesAfterEnv: [],
|
setupFilesAfterEnv: [`${__dirname}/jest.setup.js`],
|
||||||
|
|
||||||
// The number of seconds after which a test is considered as slow and reported as such in the results.
|
// The number of seconds after which a test is considered as slow and reported as such in the results.
|
||||||
// slowTestThreshold: 5,
|
// slowTestThreshold: 5,
|
||||||
|
19
packages/app-desktop/jest.setup.js
Normal file
19
packages/app-desktop/jest.setup.js
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
|
||||||
|
const { default: Logger, TargetType } = require('@joplin/lib/Logger');
|
||||||
|
|
||||||
|
// TODO: Some libraries required by test-utils.js seem to fail to import with the
|
||||||
|
// jsdom environment.
|
||||||
|
//
|
||||||
|
// Thus, require('@joplin/lib/testing/test-utils.js') fails and some setup must be
|
||||||
|
// copied.
|
||||||
|
|
||||||
|
const logger = new Logger();
|
||||||
|
logger.addTarget(TargetType.Console);
|
||||||
|
logger.setLevel(Logger.LEVEL_WARN);
|
||||||
|
Logger.initializeGlobalLogger(logger);
|
||||||
|
|
||||||
|
|
||||||
|
// @electron/remote requires electron to be running. Mock it.
|
||||||
|
jest.mock('@electron/remote', () => {
|
||||||
|
return { require };
|
||||||
|
});
|
Loading…
Reference in New Issue
Block a user