From fb399ebe73950bec5403a4060a91ab9cfd90eb1a Mon Sep 17 00:00:00 2001 From: Max Wu Date: Sun, 14 Apr 2019 12:07:16 -0400 Subject: Fix stored XSS in the graphviz error message rendering [Security Issue] Signed-off-by: Max Wu Co-Authored-By: Sheogorath --- package.json | 1 + public/js/extra.js | 13 +++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 331d42d4..c0d3cf91 100644 --- a/package.json +++ b/package.json @@ -37,6 +37,7 @@ "diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git", "ejs": "^2.5.5", "emojify.js": "~1.1.0", + "escape-html": "^1.0.3", "express": ">=4.14", "express-session": "^1.14.2", "file-saver": "^1.3.3", diff --git a/public/js/extra.js b/public/js/extra.js index b80290d1..011e2143 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -15,6 +15,7 @@ import hljs from 'highlight.js' import PDFObject from 'pdfobject' import S from 'string' import { saveAs } from 'file-saver' +import escapeHTML from 'escape-html' require('./lib/common/login') require('../vendor/md-toc') @@ -323,7 +324,7 @@ export function finishView (view) { svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') } catch (err) { $value.unwrap() - $value.parent().append('
' + err + '
') + $value.parent().append(`
${escapeHTML(err)}
`) console.warn(err) } }) @@ -347,7 +348,7 @@ export function finishView (view) { $value.children().unwrap().unwrap() } catch (err) { $value.unwrap() - $value.parent().append('
' + err + '
') + $value.parent().append(`
${escapeHTML(err)}
`) console.warn(err) } }) @@ -366,7 +367,7 @@ export function finishView (view) { $value.children().unwrap().unwrap() } catch (err) { $value.unwrap() - $value.parent().append('
' + err + '
') + $value.parent().append(`
${escapeHTML(err)}
`) console.warn(err) } }) @@ -388,7 +389,7 @@ export function finishView (view) { } $value.unwrap() - $value.parent().append('
' + errormessage + '
') + $value.parent().append(`
${escapeHTML(errormessage)}
`) console.warn(errormessage) } }) @@ -408,7 +409,7 @@ export function finishView (view) { svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') } catch (err) { $value.unwrap() - $value.parent().append('
' + err + '
') + $value.parent().append(`
${escapeHTML(err)}
`) console.warn(err) } }) @@ -568,7 +569,7 @@ export function postProcess (code) { if (warning && warning.length > 0) { warning.text(md.metaError) } else { - warning = $('
' + md.metaError + '
') + warning = $(`
${escapeHTML(md.metaError)}
`) result.prepend(warning) } } -- cgit v1.2.3