Merge remote-tracking branch 'origin/master' into fix/parsing-envs

highcharts · Apr 9, 2024 · 8d88b4a · 8d88b4a
2 parents b618a23 + 52c03f1
commit 8d88b4a
Show file tree

Hide file tree

Showing 5 changed files with 399 additions and 4 deletions.
diff --git a/lib/chart.js b/lib/chart.js
@@ -26,7 +26,7 @@ import {
   toBoolean,
   wrapAround
 } from './utils.js';
-
+import { sanitize } from './sanitize.js';
 import ExportError from './errors/ExportError.js';
 
 let allowCodeExecution = false;
@@ -59,11 +59,13 @@ export const startExport = async (settings, endCallback) => {
   if (options.payload?.svg && options.payload.svg !== '') {
     try {
       log(4, '[chart] Attempting to export from a SVG input.');
+
       const result = exportAsString(
-        options.payload.svg.trim(),
+        sanitize(options.payload.svg), // #209
         options,
         endCallback
       );
+
       ++stats.exportFromSvgAttempts;
       return result;
     } catch (error) {
@@ -163,7 +165,9 @@ export const batchExport = async (options) => {
             // Save the base64 from a buffer to a correct image file
             writeFileSync(
               info.options.export.outfile,
-              Buffer.from(info.result, 'base64')
+              info.options.export.type !== 'svg'
+                ? Buffer.from(info.result, 'base64')
+                : info.result
             );
           }
         )

diff --git a/lib/sanitize.js b/lib/sanitize.js
@@ -0,0 +1,37 @@
+/*******************************************************************************
+
+Highcharts Export Server
+
+Copyright (c) 2016-2024, Highsoft
+
+Licenced under the MIT licence.
+
+Additionally a valid Highcharts license is required for use.
+
+See LICENSE file in root for details.
+
+*******************************************************************************/
+
+/**
+ * @overview Used to sanitize the strings coming from the exporting module
+ * to prevent XSS attacks (with the DOMPurify library).
+ **/
+
+import { JSDOM } from 'jsdom';
+import DOMPurify from 'dompurify';
+
+/**
+ * Sanitizes a given HTML string by removing <script> tags.
+ * This function uses a regular expression to find and remove all
+ * occurrences of <script>...</script> tags and any content within them.
+ *
+ * @param {string} input The HTML string to be sanitized.
+ * @return {string} The sanitized HTML string.
+ */
+export function sanitize(input) {
+  const window = new JSDOM('').window;
+  const purify = DOMPurify(window);
+  return purify.sanitize(input);
+}
+
+export default sanitize;