Desktop, Mobile: Security: Disable SVG tag support in editor to preve…

…nt XSS
laurent22 · May 17, 2023 · caf6606 · caf6606 · antoniopaolini · Jun 27, 2023
1 parent 8deba24
commit caf6606
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/packages/app-cli/tests/MdToHtml.ts b/packages/app-cli/tests/MdToHtml.ts
@@ -35,7 +35,7 @@ describe('MdToHtml', () => {
 			const mdFilePath = `${basePath}/${mdFilename}`;
 			const htmlPath = `${basePath}/${filename(mdFilePath)}.html`;
 
-			// if (mdFilename !== 'sanitize_9.md') continue;
+			if (mdFilename !== 'sanitize_15.md') continue;
 
 			const mdToHtmlOptions: any = {
 				bodyOnly: true,

diff --git a/packages/app-cli/tests/md_to_html/sanitize_15.html b/packages/app-cli/tests/md_to_html/sanitize_15.html
@@ -0,0 +1 @@
+<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv">
diff --git a/packages/app-cli/tests/md_to_html/sanitize_15.md b/packages/app-cli/tests/md_to_html/sanitize_15.md
@@ -0,0 +1 @@
+<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='asdf' onerror='top.require(`child_process`).execSync(`calc.exe`)' /&gt;&lt;/svg&gt;#x" />
diff --git a/packages/renderer/htmlUtils.ts b/packages/renderer/htmlUtils.ts
@@ -183,17 +183,21 @@ class HtmlUtils {
 
 		// The BASE tag allows changing the base URL from which files are
 		// loaded, and that can break several plugins, such as Katex (which
-		// needs to load CSS files using a relative URL). For that reason
-		// it is disabled. More info:
-		// https://github.com/laurent22/joplin/issues/3021
+		// needs to load CSS files using a relative URL). For that reason it is
+		// disabled. More info: https://github.com/laurent22/joplin/issues/3021
 		//
-		// "link" can be used to escape the parser and inject JavaScript.
-		// Adding "meta" too for the same reason as it shouldn't be used in
-		// notes anyway.
+		// "link" can be used to escape the parser and inject JavaScript. Adding
+		// "meta" too for the same reason as it shouldn't be used in notes
+		// anyway.
+		//
+		// There are too many issues with SVG tags and to handle them properly
+		// we should parse them separately. Currently we are not so it is better
+		// to disable them. SVG graphics are still supported via the IMG tag.
 		const disallowedTags = [
 			'script', 'iframe', 'frameset', 'frame', 'object', 'base',
 			'embed', 'link', 'meta', 'noscript', 'button', 'form',
 			'input', 'select', 'textarea', 'option', 'optgroup',
+			'svg',
 		];
 
 		const parser = new htmlparser2.Parser({