mirror of
https://github.com/laurent22/joplin.git
synced 2024-12-24 10:27:10 +02:00
Desktop: Security: Fixed possible XSS injection
This commit is contained in:
parent
865cedc24f
commit
b26bc9ed5f
1
packages/app-cli/tests/md_to_html/sanitize_13.html
Normal file
1
packages/app-cli/tests/md_to_html/sanitize_13.html
Normal file
@ -0,0 +1 @@
|
||||
<div class="jop-noMdConv"><svg class="jop-noMdConv"><style class="jop-noMdConv"></svg><iframe srcdoc="<script>top.require('child_process').execSync('calc')</script>"></iframe></div>
|
1
packages/app-cli/tests/md_to_html/sanitize_13.md
Normal file
1
packages/app-cli/tests/md_to_html/sanitize_13.md
Normal file
@ -0,0 +1 @@
|
||||
<div><svg><style></svg><iframe srcdoc="<script>top.require('child_process').execSync('calc')</script>"></iframe></div>
|
@ -235,11 +235,18 @@ class HtmlUtils {
|
||||
ontext: (decodedText: string) => {
|
||||
if (disallowedTagDepth) return;
|
||||
|
||||
|
||||
if (currentTag() === 'style') {
|
||||
// For CSS, we have to put the style as-is inside the tag because if we html-entities encode
|
||||
// it, it's not going to work. But it's ok because JavaScript won't run within the style tag.
|
||||
// Ideally CSS should be loaded from an external file.
|
||||
output.push(decodedText);
|
||||
// For CSS, we have to put the style as-is inside the tag
|
||||
// because if we html-entities encode it, it's not going to
|
||||
// work. But it's ok because JavaScript won't run within the
|
||||
// style tag. Ideally CSS should be loaded from an external
|
||||
// file.
|
||||
|
||||
// We however have to encode at least the `<` characters to
|
||||
// prevent certain XSS injections that would rely on the
|
||||
// content not being encoded (see sanitize_13.md)
|
||||
output.push(decodedText.replace(/</g, '<'));
|
||||
} else {
|
||||
output.push(htmlentities(decodedText));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user