From b26bc9ed5f16ff9bbd7a8fb8cc4942e461a9827a Mon Sep 17 00:00:00 2001 From: Laurent Cozic Date: Wed, 10 May 2023 16:27:16 +0100 Subject: [PATCH] Desktop: Security: Fixed possible XSS injection --- .../app-cli/tests/md_to_html/sanitize_13.html | 1 + packages/app-cli/tests/md_to_html/sanitize_13.md | 1 + packages/renderer/htmlUtils.ts | 15 +++++++++++---- 3 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 packages/app-cli/tests/md_to_html/sanitize_13.html create mode 100644 packages/app-cli/tests/md_to_html/sanitize_13.md diff --git a/packages/app-cli/tests/md_to_html/sanitize_13.html b/packages/app-cli/tests/md_to_html/sanitize_13.html new file mode 100644 index 0000000000..fec1515c95 --- /dev/null +++ b/packages/app-cli/tests/md_to_html/sanitize_13.html @@ -0,0 +1 @@ +
\ No newline at end of file diff --git a/packages/renderer/htmlUtils.ts b/packages/renderer/htmlUtils.ts index 9c50ac6c9a..926dca3cee 100644 --- a/packages/renderer/htmlUtils.ts +++ b/packages/renderer/htmlUtils.ts @@ -235,11 +235,18 @@ class HtmlUtils { ontext: (decodedText: string) => { if (disallowedTagDepth) return; + if (currentTag() === 'style') { - // For CSS, we have to put the style as-is inside the tag because if we html-entities encode - // it, it's not going to work. But it's ok because JavaScript won't run within the style tag. - // Ideally CSS should be loaded from an external file. - output.push(decodedText); + // For CSS, we have to put the style as-is inside the tag + // because if we html-entities encode it, it's not going to + // work. But it's ok because JavaScript won't run within the + // style tag. Ideally CSS should be loaded from an external + // file. + + // We however have to encode at least the `<` characters to + // prevent certain XSS injections that would rely on the + // content not being encoded (see sanitize_13.md) + output.push(decodedText.replace(/