Skip to content
Permalink
Browse files Browse the repository at this point in the history
All: Security: Filter out NOSCRIPT tags that could be used to cause a…
…n XSS (thanks to Jubair Rehman for the PoC)
  • Loading branch information
laurent22 committed May 10, 2021
1 parent bb77d71 commit 9c20d59
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions packages/renderer/htmlUtils.ts
Expand Up @@ -133,7 +133,7 @@ class HtmlUtils {
return output.join('').replace(/\s+/g, ' ');
}

sanitizeHtml(html: string, options: any = null) {
public sanitizeHtml(html: string, options: any = null) {
options = Object.assign({}, {
// If true, adds a "jop-noMdConv" class to all the tags.
// It can be used afterwards to restore HTML tags in Markdown.
Expand All @@ -158,7 +158,7 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta'];
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];

const parser = new htmlparser2.Parser({

Expand Down

0 comments on commit 9c20d59

Please sign in to comment.