Skip to content

Commit

Permalink
Merge pull request #1832 from hackmdio/bugfix/sanitize-url-to-prevent…
Browse files Browse the repository at this point in the history
…-xss

fix: sanitize pdf url to prevent XSS on inline PDFs
  • Loading branch information
Yukaii authored Dec 26, 2023
2 parents 6d95fd1 + 11cd200 commit dca7f8c
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 1 deletion.
4 changes: 3 additions & 1 deletion public/js/extra.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import './lib/renderer/lightbox'
import { renderCSVPreview } from './lib/renderer/csvpreview'

import { escapeAttrValue } from './render'
import { sanitizeUrl } from './utils'

import markdownit from 'markdown-it'
import markdownitContainer from 'markdown-it-container'
Expand Down Expand Up @@ -630,10 +631,11 @@ export function finishView (view) {
view.find('div.pdf.raw').removeClass('raw')
.each(function (key, value) {
const url = $(value).attr('data-pdfurl')
const cleanUrl = sanitizeUrl(url)
const inner = $('<div></div>')
$(this).append(inner)
setTimeout(() => {
PDFObject.embed(url, inner, {
PDFObject.embed(cleanUrl, inner, {
height: '400px'
})
}, 1)
Expand Down
20 changes: 20 additions & 0 deletions public/js/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,23 @@ export function decodeNoteId (encodedId) {
idParts.push(id.substr(20, 12))
return idParts.join('-')
}

/**
* sanitize url to prevent XSS
* @see {@link https://github.com/braintree/sanitize-url/issues/52#issue-1593777166}
*
* @param {string} rawUrl
* @returns {string} sanitized url
*/
export function sanitizeUrl (rawUrl) {
try {
const url = new URL(rawUrl)
if (url.protocol === 'http:' || url.protocol === 'https:') {
return url.toString()
}

throw new Error('Invalid protocol')
} catch (error) {
return 'about:blank'
}
}

0 comments on commit dca7f8c

Please sign in to comment.