From 9c20d5947d1fa4678a8b640792ff3d31224f0adf Mon Sep 17 00:00:00 2001 From: Laurent Cozic Date: Mon, 10 May 2021 11:22:12 +0200 Subject: [PATCH] All: Security: Filter out NOSCRIPT tags that could be used to cause an XSS (thanks to Jubair Rehman for the PoC) --- packages/renderer/htmlUtils.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/renderer/htmlUtils.ts b/packages/renderer/htmlUtils.ts index 34c751a35..1262ae6fd 100644 --- a/packages/renderer/htmlUtils.ts +++ b/packages/renderer/htmlUtils.ts @@ -133,7 +133,7 @@ class HtmlUtils { return output.join('').replace(/\s+/g, ' '); } - sanitizeHtml(html: string, options: any = null) { + public sanitizeHtml(html: string, options: any = null) { options = Object.assign({}, { // If true, adds a "jop-noMdConv" class to all the tags. // It can be used afterwards to restore HTML tags in Markdown. @@ -158,7 +158,7 @@ class HtmlUtils { // "link" can be used to escape the parser and inject JavaScript. // Adding "meta" too for the same reason as it shouldn't be used in // notes anyway. - const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta']; + const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript']; const parser = new htmlparser2.Parser({