diff options
| author | Max Wu | 2019-04-14 12:07:16 -0400 |
|---|---|---|
| committer | Sheogorath | 2019-04-16 14:05:26 +0200 |
| commit | fb399ebe73950bec5403a4060a91ab9cfd90eb1a (patch) | |
| tree | 814c2794da5a6e95ed21ab019dcd3f3c0ea10115 | |
| parent | 074198f941ec7559d3555ed70ee6b42f6f56512f (diff) | |
Fix stored XSS in the graphviz error message rendering [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
Co-Authored-By: Sheogorath <sheogorath@shivering-isles.com>
| -rw-r--r-- | package.json | 1 | ||||
| -rw-r--r-- | public/js/extra.js | 13 |
2 files changed, 8 insertions, 6 deletions
diff --git a/package.json b/package.json index 331d42d4..c0d3cf91 100644 --- a/package.json +++ b/package.json @@ -37,6 +37,7 @@ "diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git", "ejs": "^2.5.5", "emojify.js": "~1.1.0", + "escape-html": "^1.0.3", "express": ">=4.14", "express-session": "^1.14.2", "file-saver": "^1.3.3", diff --git a/public/js/extra.js b/public/js/extra.js index b80290d1..011e2143 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -15,6 +15,7 @@ import hljs from 'highlight.js' import PDFObject from 'pdfobject' import S from 'string' import { saveAs } from 'file-saver' +import escapeHTML from 'escape-html' require('./lib/common/login') require('../vendor/md-toc') @@ -323,7 +324,7 @@ export function finishView (view) { svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -347,7 +348,7 @@ export function finishView (view) { $value.children().unwrap().unwrap() } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -366,7 +367,7 @@ export function finishView (view) { $value.children().unwrap().unwrap() } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -388,7 +389,7 @@ export function finishView (view) { } $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + errormessage + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(errormessage)}</div>`) console.warn(errormessage) } }) @@ -408,7 +409,7 @@ export function finishView (view) { svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -568,7 +569,7 @@ export function postProcess (code) { if (warning && warning.length > 0) { warning.text(md.metaError) } else { - warning = $('<div id="meta-error" class="alert alert-warning">' + md.metaError + '</div>') + warning = $(`<div id="meta-error" class="alert alert-warning">${escapeHTML(md.metaError)}</div>`) result.prepend(warning) } } |