self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-01-11 18:24:43 +02:00
Code Issues Releases Activity

All: Security: Remove "link" and "meta" tags from notes to prevent XSS

Browse Source
This commit is contained in:
Laurent Cozic 2020-10-29 16:19:56 +00:00
parent 4a184721e4
commit fd90a490c0
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ReactNativeClient/lib/joplin-renderer/htmlUtils.js
View File

@ -87,11 +87,16 @@ class HtmlUtils {
return tagStack[tagStack.length - 1];
};
// The BASE tag allows changing the base URL from which files are loaded, and
// that can break several plugins, such as Katex (which needs to load CSS
// files using a relative URL). For that reason it is disabled.
// More info: https://github.com/laurent22/joplin/issues/3021
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed'];
// The BASE tag allows changing the base URL from which files are
// loaded, and that can break several plugins, such as Katex (which
// needs to load CSS files using a relative URL). For that reason
// it is disabled. More info:
// https://github.com/laurent22/joplin/issues/3021
//
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta'];
const parser = new htmlparser2.Parser({