mirror of
https://github.com/zadam/trilium.git
synced 2025-06-06 18:08:33 +02:00
sanitize note title && attrs just to be sure
This commit is contained in:
parent
4fc686bbbc
commit
12b3302687
@ -43,7 +43,7 @@ function getClipperInboxNote() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function addClipping(req) {
|
function addClipping(req) {
|
||||||
const {title, content, pageUrl, images} = req.body;
|
let {title, content, pageUrl, images} = req.body;
|
||||||
|
|
||||||
const clipperInbox = getClipperInboxNote();
|
const clipperInbox = getClipperInboxNote();
|
||||||
|
|
||||||
@ -57,6 +57,8 @@ function addClipping(req) {
|
|||||||
type: 'text'
|
type: 'text'
|
||||||
}).note;
|
}).note;
|
||||||
|
|
||||||
|
pageUrl = htmlSanitizer.sanitize(pageUrl);
|
||||||
|
|
||||||
clippingNote.setLabel('clipType', 'clippings');
|
clippingNote.setLabel('clipType', 'clippings');
|
||||||
clippingNote.setLabel('pageUrl', pageUrl);
|
clippingNote.setLabel('pageUrl', pageUrl);
|
||||||
clippingNote.setLabel('iconClass', 'bx bx-globe');
|
clippingNote.setLabel('iconClass', 'bx bx-globe');
|
||||||
@ -89,9 +91,13 @@ function createNote(req) {
|
|||||||
type: 'text'
|
type: 'text'
|
||||||
});
|
});
|
||||||
|
|
||||||
|
clipType = htmlSanitizer.sanitize(clipType);
|
||||||
|
|
||||||
note.setLabel('clipType', clipType);
|
note.setLabel('clipType', clipType);
|
||||||
|
|
||||||
if (pageUrl) {
|
if (pageUrl) {
|
||||||
|
pageUrl = htmlSanitizer.sanitize(pageUrl);
|
||||||
|
|
||||||
note.setLabel('pageUrl', pageUrl);
|
note.setLabel('pageUrl', pageUrl);
|
||||||
note.setLabel('iconClass', 'bx bx-globe');
|
note.setLabel('iconClass', 'bx bx-globe');
|
||||||
}
|
}
|
||||||
|
@ -2,6 +2,8 @@ const sanitizeHtml = require('sanitize-html');
|
|||||||
|
|
||||||
// intended mainly as protection against XSS via import
|
// intended mainly as protection against XSS via import
|
||||||
// secondarily it (partly) protects against "CSS takeover"
|
// secondarily it (partly) protects against "CSS takeover"
|
||||||
|
// sanitize also note titles, label values etc. - there's so many usage which make it difficult to guarantee all of them
|
||||||
|
// are properly handled
|
||||||
function sanitize(dirtyHtml) {
|
function sanitize(dirtyHtml) {
|
||||||
if (!dirtyHtml) {
|
if (!dirtyHtml) {
|
||||||
return dirtyHtml;
|
return dirtyHtml;
|
||||||
|
@ -12,6 +12,7 @@ const sanitizeFilename = require('sanitize-filename');
|
|||||||
const noteRevisionService = require('./note_revisions');
|
const noteRevisionService = require('./note_revisions');
|
||||||
const isSvg = require('is-svg');
|
const isSvg = require('is-svg');
|
||||||
const isAnimated = require('is-animated');
|
const isAnimated = require('is-animated');
|
||||||
|
const htmlSanitizer = require("./html_sanitizer");
|
||||||
|
|
||||||
async function processImage(uploadBuffer, originalName, shrinkImageSwitch) {
|
async function processImage(uploadBuffer, originalName, shrinkImageSwitch) {
|
||||||
const compressImages = optionService.getOptionBool("compressImages");
|
const compressImages = optionService.getOptionBool("compressImages");
|
||||||
@ -66,6 +67,8 @@ function getImageMimeFromExtension(ext) {
|
|||||||
function updateImage(noteId, uploadBuffer, originalName) {
|
function updateImage(noteId, uploadBuffer, originalName) {
|
||||||
log.info(`Updating image ${noteId}: ${originalName}`);
|
log.info(`Updating image ${noteId}: ${originalName}`);
|
||||||
|
|
||||||
|
originalName = htmlSanitizer.sanitize(originalName);
|
||||||
|
|
||||||
const note = becca.getNote(noteId);
|
const note = becca.getNote(noteId);
|
||||||
|
|
||||||
note.saveNoteRevision();
|
note.saveNoteRevision();
|
||||||
|
@ -160,6 +160,11 @@ async function importZip(taskContext, fileBuffer, importRootNote) {
|
|||||||
attr.name = 'disabled:' + attr.name;
|
attr.name = 'disabled:' + attr.name;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (taskContext.data.safeImport) {
|
||||||
|
attr.name = htmlSanitizer.sanitize(attr.name);
|
||||||
|
attr.value = htmlSanitizer.sanitize(attr.value);
|
||||||
|
}
|
||||||
|
|
||||||
attributes.push(attr);
|
attributes.push(attr);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -18,6 +18,7 @@ const Branch = require('../becca/entities/branch');
|
|||||||
const Note = require('../becca/entities/note');
|
const Note = require('../becca/entities/note');
|
||||||
const Attribute = require('../becca/entities/attribute');
|
const Attribute = require('../becca/entities/attribute');
|
||||||
const dayjs = require("dayjs");
|
const dayjs = require("dayjs");
|
||||||
|
const htmlSanitizer = require("./html_sanitizer.js");
|
||||||
|
|
||||||
function getNewNotePosition(parentNoteId) {
|
function getNewNotePosition(parentNoteId) {
|
||||||
const note = becca.notes[parentNoteId];
|
const note = becca.notes[parentNoteId];
|
||||||
@ -98,6 +99,11 @@ function getNewNoteTitle(parentNote) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// this isn't in theory a good place to sanitize title, but this will catch a lot of XSS attempts
|
||||||
|
// title is supposed to contain text only (not HTML) and be printed text only, but given the number of usages
|
||||||
|
// it's difficult to guarantee correct handling in all cases
|
||||||
|
title = htmlSanitizer.sanitize(title);
|
||||||
|
|
||||||
return title;
|
return title;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user