Skip to content
Permalink
Browse files Browse the repository at this point in the history
Desktop, Mobile: Filter out form elements from note body to prevent p…
…otential XSS (thanks to Dmytro Vdovychinskiy for the PoC)
  • Loading branch information
laurent22 committed Jun 11, 2021
1 parent af9f3ee commit feaecf7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion packages/renderer/htmlUtils.ts
Expand Up @@ -158,7 +158,7 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript', 'button', 'form', 'input', 'select', 'textarea', 'option', 'optgroup'];

This comment has been minimized.

Copy link
@chinskiy

chinskiy Aug 3, 2021

CVE-2021-37916

sanitizeHtml method in Joplin desktop allows HTML tags with JavaScript attributes that give the possibility to execute arbitrary JavaScript code from the note body.

The vulnerability was fixed in 2.0.9 by extending disallowedTags array


const parser = new htmlparser2.Parser({

Expand Down

0 comments on commit feaecf7

Please sign in to comment.