Skip to content
Browse files

Fix critical autoLink security issue

  • Loading branch information...
1 parent 920fdb4 commit 34ebe36a3d6b070883f9315fa3097f7598ed11e9 @tiff tiff committed
Showing with 29 additions and 2 deletions.
  1. +2 −1 src/dom/auto_link.js
  2. +17 −1 src/lang/string.js
  3. +6 −0 test/dom/auto_link_test.js
  4. +4 −0 test/lang/string_test.js
View
3 src/dom/auto_link.js
@@ -85,11 +85,12 @@
*/
function _wrapMatchesInNode(textNode) {
var parentNode = textNode.parentNode,
+ nodeValue = wysihtml5.lang.string(textNode.data).escapeHTML(),
tempElement = _getTempElement(parentNode.ownerDocument);
// We need to insert an empty/temporary <span /> to fix IE quirks
// Elsewise IE would strip white space in the beginning
- tempElement.innerHTML = "<span></span>" + _convertUrlsToLinks(textNode.data);
+ tempElement.innerHTML = "<span></span>" + _convertUrlsToLinks(nodeValue);
tempElement.removeChild(tempElement.firstChild);
while (tempElement.firstChild) {
View
18 src/lang/string.js
@@ -1,6 +1,13 @@
(function() {
var WHITE_SPACE_START = /^\s+/,
- WHITE_SPACE_END = /\s+$/;
+ WHITE_SPACE_END = /\s+$/,
+ ENTITY_REG_EXP = /[&<>"]/g,
+ ENTITY_MAP = {
+ '&': '&amp;',
+ '<': '&lt;',
+ '>': '&gt;',
+ '"': "&quot;"
+ };
wysihtml5.lang.string = function(str) {
str = String(str);
return {
@@ -36,6 +43,15 @@
return str.split(search).join(replace);
}
};
+ },
+
+ /**
+ * @example
+ * wysihtml5.lang.string("hello<br>").escapeHTML();
+ * // => "hello&lt;br&gt;"
+ */
+ escapeHTML: function() {
+ return str.replace(ENTITY_REG_EXP, function(c) { return ENTITY_MAP[c]; });
}
};
};
View
6 test/dom/auto_link_test.js
@@ -102,4 +102,10 @@ test("Basic test", function() {
" <a href=\"http://www.google.de\">http://www.google.de</a>",
"Check if white space in front of url is preserved"
);
+
+ this.equal(
+ this.autoLink("&lt;b&gt;foo&lt;/b&gt; http://www.google.de"),
+ "&lt;b&gt;foo&lt;/b&gt; <a href=\"http://www.google.de\">http://www.google.de</a>",
+ "Check if plain HTML markup isn't evaluated"
+ );
});
View
4 test/lang/string_test.js
@@ -16,4 +16,8 @@ test("replace()", function() {
wysihtml5.lang.string("I LOVE CAKE").replace("CAKE").by("BOOBS"),
"I LOVE BOOBS"
);
+});
+
+test("escapeHTML()", function() {
+ equal(wysihtml5.lang.string('&<>"').escapeHTML(), "&amp;&lt;&gt;&quot;");
});

0 comments on commit 34ebe36

Please sign in to comment.
Something went wrong with that request. Please try again.