fix: xss improvements while parsing

stdword · Feb 17, 2024 · 089732b · 089732b
1 parent 5ce563f
commit 089732b
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 16 deletions.
diff --git a/src/context.ts b/src/context.ts
@@ -2,7 +2,7 @@ import '@logseq/libs'
 import { BlockEntity, PageEntity } from '@logseq/libs/dist/LSPlugin.user'
 
 import {
-    cleanMacroArg, LogseqReference, p, Properties, PropertiesRefs, PropertiesUtils
+    cleanMacroArg, escape, LogseqReference, p, Properties, PropertiesRefs, PropertiesUtils
 } from './utils'
 import { ITemplate } from './template'
 
@@ -106,7 +106,10 @@ export class Context {
             if (field.startsWith('_'))
                 continue
 
-            if (value instanceof Context)
+            if (value === null || value === undefined) {
+                // do nothing
+            }
+            else if (value instanceof Context)
                 value = value.filterForDisplaying()
             else if (Array.isArray(value))
                 value = value.map(item => {
@@ -126,6 +129,8 @@ export class Context {
                 if (doc.startsWith('async'))
                     value = 'async ' + value
             }
+            else if (typeof value === 'object')
+                value = value.toString()
 
             result[field] = value
         }
@@ -167,7 +172,7 @@ export class PageContext extends Context {
     }
 
     static createFromEntity(page: PageEntity) {
-        const name = page.originalName
+        const name = page.originalName || page['original-name']
         const obj = new PageContext(page.id, name)
         obj._page = page
 
@@ -186,10 +191,12 @@ export class PageContext extends Context {
 
         obj.uuid = page.uuid
 
+        const nameID = escape(obj.name_!, ['"'])
+
         // @ts-expect-error
         const path = top!.logseq.api.datascript_query(`[:find ?path
          :where
-            [?p :block/name "${obj.name_}"]
+            [?p :block/name "${nameID}"]
             [?p :block/file ?f]
             [?f :file/path ?path]
         ]`)?.flat().at(0)
@@ -201,8 +208,9 @@ export class PageContext extends Context {
 
         obj.isJournal = page['journal?']
 
-        if (page.journalDay)
-            obj.day = PageContext.parseDay(page.journalDay)
+        const day = page.journalDay || page['journal-day']
+        if (day)
+            obj.day = PageContext.parseDay(day)
         return obj
     }
     static empty() {

diff --git a/src/tags.ts b/src/tags.ts
@@ -324,7 +324,7 @@ function query_refsCount(context: ILogseqContext, page: PageContext | string = '
         name = page.name!
     else if (page)
         name = _asString(page)
-    name = name.toLowerCase()
+    name = escape(name.toLowerCase(), ['"'])
 
     // @ts-expect-error
     const refs = top!.logseq.api.datascript_query(`
@@ -351,7 +351,7 @@ function queryRefs(
         name = page.name!
     else if (page)
         name = _asString(page)
-    name = name.toLowerCase()
+    name = escape(name.toLowerCase(), ['"'])
 
     let filterOnly = ''
     if (only === 'journals')

diff --git a/src/utils/logseq.ts b/src/utils/logseq.ts
@@ -1,6 +1,6 @@
 import { IBatchBlock, BlockEntity, PageEntity, BlockIdentity, EntityID } from '@logseq/libs/dist/LSPlugin.user'
 
-import { escapeForRegExp, f, indexOfNth, p, sleep } from './other'
+import { escape, escapeForRegExp, f, indexOfNth, p, sleep } from './other'
 import { isEmptyString, isInteger, isUUID, unquote } from './parsing'
 
 
@@ -256,13 +256,15 @@ export async function getBlock(
         if (!byProperty)
             return [ null, 'name' ]
 
+        const name = escape(ref.value.toString(), ['"'])
+
         const query = `
             [:find (pull ?b [*])
              :where
                 [?b :block/properties ?props]
                 [?b :block/page]
                 [(get ?props :${byProperty}) ?name]
-                [(= ?name "${ref.value}")]
+                [(= ?name "${name}")]
             ]
         `.trim()
 
@@ -303,8 +305,10 @@ export async function getPageFirstBlock(
         return null
 
     let idValue = ref.value.toString().toLowerCase()
-    if (ref.type !== 'id')
+    if (ref.type !== 'id') {
+        idValue = escape(idValue, ['"'])
         idValue = `"${idValue}"`
+    }
 
     let idField = ':block/name'
     if (ref.type === 'uuid')
@@ -419,13 +423,14 @@ export class PropertiesUtils {
 
         let refs: string[] = []
         if (obj.properties) {
-            const val = obj.properties[nameCamelCased]
+            const val = obj.properties[nameCamelCased] ?? obj.properties[name]
             refs = Array.isArray(val) ? val : []
         }
 
         let text: string = ''
-        if (obj.propertiesTextValues)
-            text = obj.propertiesTextValues[nameCamelCased] ?? ''
+        const textContainer = obj.propertiesTextValues || obj['properties-text-values']
+        if (textContainer)
+            text = textContainer[nameCamelCased] ?? textContainer[name] ?? ''
 
         return {
             name: nameCamelCased,

diff --git a/src/utils/other.ts b/src/utils/other.ts
@@ -94,15 +94,19 @@ export function sleep(ms: number) {
     return new Promise(resolve => setTimeout(resolve, ms))
  }
 
+export function escape(str: string, specials: string[]) {
+    const replacer = new RegExp('(\\' + specials.join('|\\') + ')', 'g')
+    return str.replaceAll(replacer, '\\$1')
+}
+
 export function escapeForRegExp(str: string) {
     const specials = [
         // '-', '^', '$',
         '/', '.', '*', '+', '?', '|',
         '(', ')', '[', ']', '{', '}', '\\',
     ]
 
-    const replacer = new RegExp('(\\' + specials.join('|\\') + ')', 'g')
-    return str.replaceAll(replacer, '\\$1')
+    return escape(str, specials)
 
     // alternative from MDN
     // return str.replace(/[.*+\-?^${}()|[\]\\]/g, '\\$&')