fix(xss): fix potential xss in raw html

Tencent · Jan 11, 2024 · 596805c · 596805c
1 parent 66c3ecc
commit 596805c
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -102,7 +102,7 @@
     "cross-env": "^7.0.2",
     "cz-customizable": "^6.2.0",
     "dom-parser": "^0.1.6",
-    "dompurify": "^2.0.11",
+    "dompurify": "^3.0.8",
     "es-check": "^7.1.1",
     "eslint": "^7.32.0",
     "eslint-config-prettier": "^8.1.0",

diff --git a/src/core/hooks/HtmlBlock.js b/src/core/hooks/HtmlBlock.js
@@ -23,6 +23,22 @@ import {
 import { sanitizer } from '@/Sanitizer';
 import { isBrowser } from '@/utils/env';
 
+/**
+ * encode unsafe link-related attributes
+ */
+const unsafeAttributes = ['href', 'src'];
+
+sanitizer.addHook('afterSanitizeAttributes', (node) => {
+  unsafeAttributes.forEach((attr) => {
+    if (!node.hasAttribute(attr)) {
+      return;
+    }
+    const value = node.getAttribute(attr);
+    // encode unsafe backslash in link attributes
+    node.setAttribute(attr, value.replace(/\\/g, '%5c'));
+  });
+});
+
 export default class HtmlBlock extends ParagraphBase {
   static HOOK_NAME = 'htmlBlock';
   constructor() {

diff --git a/yarn.lock b/yarn.lock
@@ -4439,11 +4439,16 @@ domhandler@^5.0.1, domhandler@^5.0.2, domhandler@^5.0.3:
   dependencies:
     domelementtype "^2.3.0"
 
-[email protected], dompurify@^2.0.11:
+[email protected]:
   version "2.4.3"
   resolved "https://registry.npmjs.org/dompurify/-/dompurify-2.4.3.tgz"
   integrity sha512-q6QaLcakcRjebxjg8/+NP+h0rPfatOgOzc46Fst9VAA3jF2ApfKBNKMzdP4DYTqtUMXSCd5pRS/8Po/OmoCHZQ==
 
+dompurify@^3.0.8:
+  version "3.0.8"
+  resolved "https://registry.npmjs.org/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437"
+  integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==
+
 domutils@^1.7.0:
   version "1.7.0"
   resolved "https://registry.npmjs.org/domutils/-/domutils-1.7.0.tgz"