Skip to content

Commit 9e90d90

Browse files
committed
All: Security: Prevent XSS by sanitizing certain HTML attributes
1 parent ccec93e commit 9e90d90

File tree

4 files changed

+14
-12
lines changed

4 files changed

+14
-12
lines changed

Diff for: packages/app-cli/tests/md_to_html/sanitize_15.html

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv">
1+
<use href="#" class="jop-noMdConv">

Diff for: packages/app-cli/tests/md_to_html/sanitize_16.html

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
<map name="test" class="jop-noMdConv"><area coords="0,0,1000,1000" href="#" class="jop-noMdConv"/></map><img usemap="#test" src="https://github.com/Ry0taK.png" class="jop-noMdConv"/>

Diff for: packages/app-cli/tests/md_to_html/sanitize_16.md

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
<map name="test"><area coords="0,0,1000,1000" href="javascript:top.require(`child_process`).execSync(`calc.exe`)"></map><img usemap="#test" src="https://github.com/Ry0taK.png">

Diff for: packages/renderer/htmlUtils.ts

+11-11
Original file line numberDiff line numberDiff line change
@@ -233,18 +233,18 @@ class HtmlUtils {
233233
delete attrs[attrName];
234234
}
235235

236-
if (name === 'a') {
237-
// Make sure that only non-acceptable URLs are filtered out.
238-
// In particular we want to exclude `javascript:` URLs.
239-
if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
240-
attrs['href'] = '#';
241-
}
236+
// Make sure that only non-acceptable URLs are filtered out. In
237+
// particular we want to exclude `javascript:` URLs. This
238+
// applies to A tags, and also AREA ones but to be safe we don't
239+
// filter on the tag name and process all HREF attributes.
240+
if ('href' in attrs && !this.isAcceptedUrl(attrs['href'])) {
241+
attrs['href'] = '#';
242+
}
242243

243-
// We need to clear any such attribute, otherwise it will
244-
// make any arbitrary link open within the application.
245-
if ('data-from-md' in attrs) {
246-
delete attrs['data-from-md'];
247-
}
244+
// We need to clear any such attribute, otherwise it will
245+
// make any arbitrary link open within the application.
246+
if ('data-from-md' in attrs) {
247+
delete attrs['data-from-md'];
248248
}
249249

250250
if (options.addNoMdConvClass) {

0 commit comments

Comments
 (0)