Desktop: Security: Disallow map and area tags (#8479)

laurent22 · Jul 15, 2023 · 7c52c3e · 7c52c3e
1 parent 68ffdc5
commit 7c52c3e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/packages/app-cli/tests/md_to_html/sanitize_16.html b/packages/app-cli/tests/md_to_html/sanitize_16.html
@@ -1 +1 @@
-<map name="test" class="jop-noMdConv"><area coords="0,0,1000,1000" href="#" class="jop-noMdConv"/></map><img usemap="#test" src="https://github.com/Ry0taK.png" class="jop-noMdConv"/>
+<img usemap="#test" src="https://github.com/Ry0taK.png" class="jop-noMdConv"/>
diff --git a/packages/renderer/htmlUtils.ts b/packages/renderer/htmlUtils.ts
@@ -203,6 +203,11 @@ class HtmlUtils {
 			'embed', 'link', 'meta', 'noscript', 'button', 'form',
 			'input', 'select', 'textarea', 'option', 'optgroup',
 			'svg',
+
+			// Disallow map and area tags: <area ...> links are currently not
+			// sanitized as well as <a ...> links, allowing potential sandbox
+			// escape.
+			'map', 'area',
 		];
 
 		const parser = new htmlparser2.Parser({
@@ -300,8 +305,15 @@ class HtmlUtils {
 
 				if (current === name.toLowerCase()) tagStack.pop();
 
-				if (disallowedTags.includes(current)) {
-					disallowedTagDepth--;
+				// The Markdown sanitization code can result in calls like this:
+				//     sanitizeHtml('<invlaid>')
+				//     sanitizeHtml('</invalid>')
+				// Thus, we need to be able to remove '</invalid>', even if there is no
+				// corresponding opening tag.
+				if (disallowedTags.includes(current) || disallowedTags.includes(name)) {
+					if (disallowedTagDepth > 0) {
+						disallowedTagDepth--;
+					}
 					return;
 				}