diff --git a/src/routes/api/clipper.js b/src/routes/api/clipper.js index 5c89ac291..71bcf84a4 100644 --- a/src/routes/api/clipper.js +++ b/src/routes/api/clipper.js @@ -47,6 +47,7 @@ function addClipping(req) { const clipperInbox = getClipperInboxNote(); + pageUrl = htmlSanitizer.sanitizeUrl(pageUrl); let clippingNote = findClippingNote(clipperInbox, pageUrl); if (!clippingNote) { @@ -57,8 +58,6 @@ function addClipping(req) { type: 'text' }).note; - pageUrl = htmlSanitizer.sanitize(pageUrl); - clippingNote.setLabel('clipType', 'clippings'); clippingNote.setLabel('pageUrl', pageUrl); clippingNote.setLabel('iconClass', 'bx bx-globe'); @@ -96,7 +95,7 @@ function createNote(req) { note.setLabel('clipType', clipType); if (pageUrl) { - pageUrl = htmlSanitizer.sanitize(pageUrl); + pageUrl = htmlSanitizer.sanitizeUrl(pageUrl); note.setLabel('pageUrl', pageUrl); note.setLabel('iconClass', 'bx bx-globe'); diff --git a/src/services/html_sanitizer.js b/src/services/html_sanitizer.js index 9164ddfda..e3df0d135 100644 --- a/src/services/html_sanitizer.js +++ b/src/services/html_sanitizer.js @@ -1,4 +1,5 @@ const sanitizeHtml = require('sanitize-html'); +const sanitizeUrl = require('@braintree/sanitize-url').sanitizeUrl; // intended mainly as protection against XSS via import // secondarily it (partly) protects against "CSS takeover" @@ -48,5 +49,6 @@ function sanitize(dirtyHtml) { } module.exports = { - sanitize + sanitize, + sanitizeUrl };