From fd90a490c0e5cacd17bfe0ffc422be1d2a9b1c13 Mon Sep 17 00:00:00 2001
From: Laurent Cozic <laurent@cozic.net>
Date: Thu, 29 Oct 2020 16:19:56 +0000
Subject: [PATCH] All: Security: Remove "link" and "meta" tags from notes to
 prevent XSS

---
 .../lib/joplin-renderer/htmlUtils.js              | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/ReactNativeClient/lib/joplin-renderer/htmlUtils.js b/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
index f9af4d978..a9581f70a 100644
--- a/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
+++ b/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
@@ -87,11 +87,16 @@ class HtmlUtils {
 			return tagStack[tagStack.length - 1];
 		};
 
-		// The BASE tag allows changing the base URL from which files are loaded, and
-		// that can break several plugins, such as Katex (which needs to load CSS
-		// files using a relative URL). For that reason it is disabled.
-		// More info: https://github.com/laurent22/joplin/issues/3021
-		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed'];
+		// The BASE tag allows changing the base URL from which files are
+		// loaded, and that can break several plugins, such as Katex (which
+		// needs to load CSS files using a relative URL). For that reason
+		// it is disabled. More info:
+		// https://github.com/laurent22/joplin/issues/3021
+		//
+		// "link" can be used to escape the parser and inject JavaScript.
+		// Adding "meta" too for the same reason as it shouldn't be used in
+		// notes anyway.
+		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta'];
 
 		const parser = new htmlparser2.Parser({