Fix stored XSS in the graphviz error message rendering [Security Issue]

Signed-off-by: Max Wu <jackymaxj@gmail.com>

Co-Authored-By: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Max Wu 2019-04-14 12:07:16 -04:00 committed by Sheogorath
parent 074198f941
commit fb399ebe73
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
2 changed files with 8 additions and 6 deletions

View file

@ -37,6 +37,7 @@
"diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git", "diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git",
"ejs": "^2.5.5", "ejs": "^2.5.5",
"emojify.js": "~1.1.0", "emojify.js": "~1.1.0",
"escape-html": "^1.0.3",
"express": ">=4.14", "express": ">=4.14",
"express-session": "^1.14.2", "express-session": "^1.14.2",
"file-saver": "^1.3.3", "file-saver": "^1.3.3",

View file

@ -15,6 +15,7 @@ import hljs from 'highlight.js'
import PDFObject from 'pdfobject' import PDFObject from 'pdfobject'
import S from 'string' import S from 'string'
import { saveAs } from 'file-saver' import { saveAs } from 'file-saver'
import escapeHTML from 'escape-html'
require('./lib/common/login') require('./lib/common/login')
require('../vendor/md-toc') require('../vendor/md-toc')
@ -323,7 +324,7 @@ export function finishView (view) {
svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet')
} catch (err) { } catch (err) {
$value.unwrap() $value.unwrap()
$value.parent().append('<div class="alert alert-warning">' + err + '</div>') $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
console.warn(err) console.warn(err)
} }
}) })
@ -347,7 +348,7 @@ export function finishView (view) {
$value.children().unwrap().unwrap() $value.children().unwrap().unwrap()
} catch (err) { } catch (err) {
$value.unwrap() $value.unwrap()
$value.parent().append('<div class="alert alert-warning">' + err + '</div>') $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
console.warn(err) console.warn(err)
} }
}) })
@ -366,7 +367,7 @@ export function finishView (view) {
$value.children().unwrap().unwrap() $value.children().unwrap().unwrap()
} catch (err) { } catch (err) {
$value.unwrap() $value.unwrap()
$value.parent().append('<div class="alert alert-warning">' + err + '</div>') $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
console.warn(err) console.warn(err)
} }
}) })
@ -388,7 +389,7 @@ export function finishView (view) {
} }
$value.unwrap() $value.unwrap()
$value.parent().append('<div class="alert alert-warning">' + errormessage + '</div>') $value.parent().append(`<div class="alert alert-warning">${escapeHTML(errormessage)}</div>`)
console.warn(errormessage) console.warn(errormessage)
} }
}) })
@ -408,7 +409,7 @@ export function finishView (view) {
svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet')
} catch (err) { } catch (err) {
$value.unwrap() $value.unwrap()
$value.parent().append('<div class="alert alert-warning">' + err + '</div>') $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
console.warn(err) console.warn(err)
} }
}) })
@ -568,7 +569,7 @@ export function postProcess (code) {
if (warning && warning.length > 0) { if (warning && warning.length > 0) {
warning.text(md.metaError) warning.text(md.metaError)
} else { } else {
warning = $('<div id="meta-error" class="alert alert-warning">' + md.metaError + '</div>') warning = $(`<div id="meta-error" class="alert alert-warning">${escapeHTML(md.metaError)}</div>`)
result.prepend(warning) result.prepend(warning)
} }
} }