From 762b4e88f888ce104584293c10ac5d9ea21ad6de Mon Sep 17 00:00:00 2001
From: Laurent Cozic <laurent@cozic.net>
Date: Mon, 14 Nov 2022 17:16:59 +0000
Subject: [PATCH] All: Security: Fix XSS when a specially crafted string is
 passed to the renderer

---
 packages/app-cli/tests/md_to_html/sanitize_12.html | 1 +
 packages/app-cli/tests/md_to_html/sanitize_12.md   | 3 +++
 packages/renderer/MdToHtml.ts                      | 4 +++-
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 packages/app-cli/tests/md_to_html/sanitize_12.html
 create mode 100644 packages/app-cli/tests/md_to_html/sanitize_12.md

diff --git a/packages/app-cli/tests/md_to_html/sanitize_12.html b/packages/app-cli/tests/md_to_html/sanitize_12.html
new file mode 100644
index 0000000000..c8a5e8c242
--- /dev/null
+++ b/packages/app-cli/tests/md_to_html/sanitize_12.html
@@ -0,0 +1 @@
+<div class="joplin-editable"><pre class="joplin-source" data-joplin-language="&quot;&gt;&lt;svg/onload=top.eval(atob(&quot;cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ29wZW4gLW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcicp&quot;))&gt;" data-joplin-source-open="```&quot;&gt;&lt;svg/onload=top.eval(atob(&quot;cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ29wZW4gLW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcicp&quot;))&gt;&#10;" data-joplin-source-close="&#10;```">ts</pre><pre class="hljs"><code><span class="hljs-attribute">ts</span></code></pre></div>
diff --git a/packages/app-cli/tests/md_to_html/sanitize_12.md b/packages/app-cli/tests/md_to_html/sanitize_12.md
new file mode 100644
index 0000000000..22f71bb68f
--- /dev/null
+++ b/packages/app-cli/tests/md_to_html/sanitize_12.md
@@ -0,0 +1,3 @@
+```"><svg/onload=top.eval(atob("cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ29wZW4gLW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcicp"))>
+ts
+```
diff --git a/packages/renderer/MdToHtml.ts b/packages/renderer/MdToHtml.ts
index 333c0e7cd3..1e57d69931 100644
--- a/packages/renderer/MdToHtml.ts
+++ b/packages/renderer/MdToHtml.ts
@@ -8,6 +8,8 @@ import { RenderResult, RenderResultPluginAsset } from './MarkupToHtml';
 import { Options as NoteStyleOptions } from './noteStyle';
 import hljs from './highlight';
 
+const Entities = require('html-entities').AllHtmlEntities;
+const htmlentities = new Entities().encode;
 const MarkdownIt = require('markdown-it');
 const md5 = require('md5');
 
@@ -482,7 +484,7 @@ export default class MdToHtml {
 				// The strings includes the last \n that is part of the fence,
 				// so we remove it because we need the exact code in the source block
 				const trimmedStr = this.removeLastNewLine(str);
-				const sourceBlockHtml = `<pre class="joplin-source" data-joplin-language="${lang}" data-joplin-source-open="\`\`\`${lang}&#10;" data-joplin-source-close="&#10;\`\`\`">${markdownIt.utils.escapeHtml(trimmedStr)}</pre>`;
+				const sourceBlockHtml = `<pre class="joplin-source" data-joplin-language="${htmlentities(lang)}" data-joplin-source-open="\`\`\`${htmlentities(lang)}&#10;" data-joplin-source-close="&#10;\`\`\`">${markdownIt.utils.escapeHtml(trimmedStr)}</pre>`;
 
 				if (this.shouldSkipHighlighting(trimmedStr, lang)) {
 					outputCodeHtml = markdownIt.utils.escapeHtml(trimmedStr);