Joplin
/
joplin
mirror of https://github.com/laurent22/joplin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

All: Security: Filter out NOSCRIPT tags that could be used to cause an XSS (thanks to Jubair Rehman for the PoC)

pull/4942/head
Laurent Cozic 2021-05-10 11:22:12 +02:00
parent bb77d7171a
commit 9c20d5947d
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/renderer/htmlUtils.ts
View File

@ -133,7 +133,7 @@ class HtmlUtils {
return output.join('').replace(/\s+/g, ' '); return output.join('').replace(/\s+/g, ' ');
} }
sanitizeHtml(html: string, options: any = null) { public sanitizeHtml(html: string, options: any = null) {
options = Object.assign({}, { options = Object.assign({}, {
// If true, adds a "jop-noMdConv" class to all the tags. // If true, adds a "jop-noMdConv" class to all the tags.
// It can be used afterwards to restore HTML tags in Markdown. // It can be used afterwards to restore HTML tags in Markdown.
@ -158,7 +158,7 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript. // "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in // Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway. // notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta']; const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];
const parser = new htmlparser2.Parser({ const parser = new htmlparser2.Parser({