mirror of
https://github.com/laurent22/joplin.git
synced 2025-01-11 18:24:43 +02:00
All: Security: Fix XSS when a specially crafted string is passed to the renderer
This commit is contained in:
parent
a7213453c7
commit
a2de167b95
1
packages/app-cli/tests/md_to_html/sanitize_12.html
Normal file
1
packages/app-cli/tests/md_to_html/sanitize_12.html
Normal file
@ -0,0 +1 @@
|
||||
<div class="joplin-editable"><pre class="joplin-source" data-joplin-language=""><svg/onload=top.eval(atob("cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ29wZW4gLW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcicp"))>" data-joplin-source-open="```"><svg/onload=top.eval(atob("cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ29wZW4gLW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcicp"))> " data-joplin-source-close=" ```">ts</pre><pre class="hljs"><code><span class="hljs-attribute">ts</span></code></pre></div>
|
3
packages/app-cli/tests/md_to_html/sanitize_12.md
Normal file
3
packages/app-cli/tests/md_to_html/sanitize_12.md
Normal file
@ -0,0 +1,3 @@
|
||||
```"><svg/onload=top.eval(atob("cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ29wZW4gLW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcicp"))>
|
||||
ts
|
||||
```
|
@ -8,6 +8,8 @@ import { RenderResult, RenderResultPluginAsset } from './MarkupToHtml';
|
||||
import { Options as NoteStyleOptions } from './noteStyle';
|
||||
import hljs from './highlight';
|
||||
|
||||
const Entities = require('html-entities').AllHtmlEntities;
|
||||
const htmlentities = new Entities().encode;
|
||||
const MarkdownIt = require('markdown-it');
|
||||
const md5 = require('md5');
|
||||
|
||||
@ -482,7 +484,7 @@ export default class MdToHtml {
|
||||
// The strings includes the last \n that is part of the fence,
|
||||
// so we remove it because we need the exact code in the source block
|
||||
const trimmedStr = this.removeLastNewLine(str);
|
||||
const sourceBlockHtml = `<pre class="joplin-source" data-joplin-language="${lang}" data-joplin-source-open="\`\`\`${lang} " data-joplin-source-close=" \`\`\`">${markdownIt.utils.escapeHtml(trimmedStr)}</pre>`;
|
||||
const sourceBlockHtml = `<pre class="joplin-source" data-joplin-language="${htmlentities(lang)}" data-joplin-source-open="\`\`\`${htmlentities(lang)} " data-joplin-source-close=" \`\`\`">${markdownIt.utils.escapeHtml(trimmedStr)}</pre>`;
|
||||
|
||||
if (this.shouldSkipHighlighting(trimmedStr, lang)) {
|
||||
outputCodeHtml = markdownIt.utils.escapeHtml(trimmedStr);
|
||||
|
Loading…
Reference in New Issue
Block a user