self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-11-23 22:36:32 +02:00
Code Issues Releases Activity

Desktop, Mobile: Security: Disable SVG tag support in editor to prevent XSS

Browse Source
This commit is contained in:
Laurent Cozic
2023-05-17 16:00:24 +01:00
parent 8deba24d7d
commit caf66068bf
4 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/app-cli/tests/MdToHtml.ts
View File

@@ -35,7 +35,7 @@ describe('MdToHtml', () => {
const mdFilePath = `${basePath}/${mdFilename}`; const mdFilePath = `${basePath}/${mdFilename}`;
const htmlPath = `${basePath}/${filename(mdFilePath)}.html`; const htmlPath = `${basePath}/${filename(mdFilePath)}.html`;
// if (mdFilename !== 'sanitize_9.md') continue; if (mdFilename !== 'sanitize_15.md') continue;
const mdToHtmlOptions: any = { const mdToHtmlOptions: any = {
bodyOnly: true, bodyOnly: true,

1
packages/app-cli/tests/md_to_html/sanitize_15.html Normal file
View File

@@ -0,0 +1 @@
<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv">

1
packages/app-cli/tests/md_to_html/sanitize_15.md Normal file
View File

@@ -0,0 +1 @@
<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='asdf' onerror='top.require(`child_process`).execSync(`calc.exe`)' /&gt;&lt;/svg&gt;#x" />
Side by Side

After

Width:  |  Height:  |  Size: 193 B

16
packages/renderer/htmlUtils.ts
View File

@@ -183,17 +183,21 @@ class HtmlUtils {
// The BASE tag allows changing the base URL from which files are // The BASE tag allows changing the base URL from which files are
// loaded, and that can break several plugins, such as Katex (which // loaded, and that can break several plugins, such as Katex (which
// needs to load CSS files using a relative URL). For that reason // needs to load CSS files using a relative URL). For that reason it is
// it is disabled. More info: // disabled. More info: https://github.com/laurent22/joplin/issues/3021
// https://github.com/laurent22/joplin/issues/3021
// //
// "link" can be used to escape the parser and inject JavaScript. // "link" can be used to escape the parser and inject JavaScript. Adding
// Adding "meta" too for the same reason as it shouldn't be used in // "meta" too for the same reason as it shouldn't be used in notes
// notes anyway. // anyway.
//
// There are too many issues with SVG tags and to handle them properly
// we should parse them separately. Currently we are not so it is better
// to disable them. SVG graphics are still supported via the IMG tag.
const disallowedTags = [ const disallowedTags = [
'script', 'iframe', 'frameset', 'frame', 'object', 'base', 'script', 'iframe', 'frameset', 'frame', 'object', 'base',
'embed', 'link', 'meta', 'noscript', 'button', 'form', 'embed', 'link', 'meta', 'noscript', 'button', 'form',
'input', 'select', 'textarea', 'option', 'optgroup', 'input', 'select', 'textarea', 'option', 'optgroup',
'svg',
]; ];
const parser = new htmlparser2.Parser({ const parser = new htmlparser2.Parser({