self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-24 10:27:10 +02:00
Code Issues Releases Activity

Desktop, Mobile: Filter out form elements from note body to prevent potential XSS (thanks to Dmytro Vdovychinskiy for the PoC)

Browse Source
This commit is contained in:
Laurent Cozic 2021-06-11 20:17:45 +02:00
parent af9f3eedd3
commit feaecf7653
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/renderer/htmlUtils.ts
View File

@ -158,7 +158,7 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript', 'button', 'form', 'input', 'select', 'textarea', 'option', 'optgroup'];
const parser = new htmlparser2.Parser({