From e797ebb864fbf429a49b6d20e5779d0c9aa6c4d5 Mon Sep 17 00:00:00 2001 From: Laurent Cozic Date: Thu, 30 Jun 2022 18:25:38 +0100 Subject: [PATCH] Desktop: Security: Fixes XSS in GotoAnything dialog --- packages/lib/string-utils.js | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/packages/lib/string-utils.js b/packages/lib/string-utils.js index 6309a4031..3b361818f 100644 --- a/packages/lib/string-utils.js +++ b/packages/lib/string-utils.js @@ -1,3 +1,5 @@ +const Entities = require('html-entities').AllHtmlEntities; +const htmlentities = new Entities().encode; const stringUtilsCommon = require('./string-utils-common.js'); const defaultDiacriticsRemovalMap = [ @@ -294,16 +296,25 @@ function escapeHtml(s) { // keywords can either be a list of strings, or a list of objects with the format: // { value: 'actualkeyword', type: 'regex/string' } // The function surrounds the keywords wherever they are, even within other words. -function surroundKeywords(keywords, text, prefix, suffix) { +function surroundKeywords(keywords, text, prefix, suffix, options = null) { + options = Object.assign({}, { + escapeHtml: false, + }, options); + if (!keywords.length) return text; + function escapeHtml(s) { + if (!options.escapeHtml) return s; + return htmlentities(s); + } + let regexString = keywords .map(k => { if (k.type === 'regex') { - return stringUtilsCommon.replaceRegexDiacritics(k.valueRegex); + return escapeHtml(stringUtilsCommon.replaceRegexDiacritics(k.valueRegex)); } else { const value = typeof k === 'string' ? k : k.value; - return stringUtilsCommon.replaceRegexDiacritics(stringUtilsCommon.pregQuote(value)); + return escapeHtml(stringUtilsCommon.replaceRegexDiacritics(stringUtilsCommon.pregQuote(value))); } }) .join('|');