self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-01-14 18:27:44 +02:00
Code Issues Releases Activity

Desktop: Security: Fixes XSS in GotoAnything dialog

Browse Source
This commit is contained in:
Laurent Cozic 2022-06-30 18:25:38 +01:00
parent f99b8dfde8
commit e797ebb864
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
packages/lib/string-utils.js
View File

@ -1,3 +1,5 @@
const Entities = require('html-entities').AllHtmlEntities;
const htmlentities = new Entities().encode;
const stringUtilsCommon = require('./string-utils-common.js');
const defaultDiacriticsRemovalMap = [
@ -294,16 +296,25 @@ function escapeHtml(s) {
// keywords can either be a list of strings, or a list of objects with the format:
// { value: 'actualkeyword', type: 'regex/string' }
// The function surrounds the keywords wherever they are, even within other words.
function surroundKeywords(keywords, text, prefix, suffix) {
function surroundKeywords(keywords, text, prefix, suffix, options = null) {
options = Object.assign({}, {
escapeHtml: false,
}, options);
if (!keywords.length) return text;
function escapeHtml(s) {
if (!options.escapeHtml) return s;
return htmlentities(s);
}
let regexString = keywords
.map(k => {
if (k.type === 'regex') {
return stringUtilsCommon.replaceRegexDiacritics(k.valueRegex);
return escapeHtml(stringUtilsCommon.replaceRegexDiacritics(k.valueRegex));
} else {
const value = typeof k === 'string' ? k : k.value;
return stringUtilsCommon.replaceRegexDiacritics(stringUtilsCommon.pregQuote(value));
return escapeHtml(stringUtilsCommon.replaceRegexDiacritics(stringUtilsCommon.pregQuote(value)));
}
})
.join('|');