Desktop: Security: Remove the `name` attribute when rendering to HTML (#11591)

2025-01-06 09:33:19 -08:00 · 2025-01-06 09:33:19 -08:00 · e70efcbd60
parent ac154ee1e8
commit e70efcbd60
3 changed files with 11 additions and 0 deletions
--- a/packages/app-cli/tests/md_to_html/sanitize_22.html
+++ b/packages/app-cli/tests/md_to_html/sanitize_22.html
@ -0,0 +1,2 @@
+<img src="test/" class="jop-noMdConv"/>
+<img src="http://example.com/test.png" class="jop-noMdConv"/>
--- a/packages/app-cli/tests/md_to_html/sanitize_22.md
+++ b/packages/app-cli/tests/md_to_html/sanitize_22.md
@ -0,0 +1,3 @@
+<img name=getElementById src=test/>
+
+<IMG NAME="getElementById" SRC="http://example.com/test.png">
--- a/packages/renderer/htmlUtils.ts
+++ b/packages/renderer/htmlUtils.ts
@ -308,6 +308,12 @@ class HtmlUtils {
 					attrs['href'] = '#';
 				}

+				// Allowing the 'name' attribute allows an attacker to overwrite
+				// DOM methods (e.g. getElementById) with elements.
+				if ('name' in attrs) {
+					delete attrs['name'];
+				}
+
 				// We need to clear any such attribute, otherwise it will
 				// make any arbitrary link open within the application.
 				if ('data-from-md' in attrs) {