Joplin
/
joplin
mirror of https://github.com/laurent22/joplin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Desktop, Mobile: Security: Disable SVG tag support in editor to prevent XSS

pull/8205/head
Laurent Cozic 2023-05-17 16:00:24 +01:00
parent 8deba24d7d
commit caf66068bf
4 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/app-cli/tests/MdToHtml.ts
View File

@ -35,7 +35,7 @@ describe('MdToHtml', () => {
const mdFilePath = `${basePath}/${mdFilename}`;
const htmlPath = `${basePath}/${filename(mdFilePath)}.html`;
// if (mdFilename !== 'sanitize_9.md') continue;
if (mdFilename !== 'sanitize_15.md') continue;
const mdToHtmlOptions: any = {
bodyOnly: true,

1
packages/app-cli/tests/md_to_html/sanitize_15.html Normal file
View File

@ -0,0 +1 @@
<use href="data:image/svg+xml,&lt;svg id=&apos;x&apos; xmlns=&apos;http://www.w3.org/2000/svg&apos;&gt;&lt;image href=&apos;asdf&apos; onerror=&apos;top.require(`child_process`).execSync(`calc.exe`)&apos; /&gt;&lt;/svg&gt;#x" class="jop-noMdConv">

1
packages/app-cli/tests/md_to_html/sanitize_15.md Normal file
View File

@ -0,0 +1 @@
<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg'&gt;&lt;image href='asdf' onerror='top.require(`child_process`).execSync(`calc.exe`)' /&gt;&lt;/svg&gt;#x" />
Side by Side

After

Width:  |  Height:  |  Size: 193 B

16
packages/renderer/htmlUtils.ts
View File

@ -183,17 +183,21 @@ class HtmlUtils {
// The BASE tag allows changing the base URL from which files are
// loaded, and that can break several plugins, such as Katex (which
// needs to load CSS files using a relative URL). For that reason
// it is disabled. More info:
// https://github.com/laurent22/joplin/issues/3021
// needs to load CSS files using a relative URL). For that reason it is
// disabled. More info: https://github.com/laurent22/joplin/issues/3021
//
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
// "link" can be used to escape the parser and inject JavaScript. Adding
// "meta" too for the same reason as it shouldn't be used in notes
// anyway.
//
// There are too many issues with SVG tags and to handle them properly
// we should parse them separately. Currently we are not so it is better
// to disable them. SVG graphics are still supported via the IMG tag.
const disallowedTags = [
'script', 'iframe', 'frameset', 'frame', 'object', 'base',
'embed', 'link', 'meta', 'noscript', 'button', 'form',
'input', 'select', 'textarea', 'option', 'optgroup',
'svg',
];
const parser = new htmlparser2.Parser({