Fixing MM-36062 extra detail
This commit is contained in:
parent
d3b21dd05f
commit
22172be2cd
2 changed files with 2 additions and 2 deletions
|
@ -29,7 +29,7 @@ describe('utils', () => {
|
||||||
test('should not allow XSS on links href on the desktop app', () => {
|
test('should not allow XSS on links href on the desktop app', () => {
|
||||||
const windowAsAny = window as any
|
const windowAsAny = window as any
|
||||||
windowAsAny.openInNewBrowser = () => null
|
windowAsAny.openInNewBrowser = () => null
|
||||||
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(\'%22xss-attack=%22true%22other=%22whatever\');"></a></p>'
|
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser("%22xss-attack=%22true%22other=%22whatever");"></a></p>'
|
||||||
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml)
|
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml)
|
||||||
windowAsAny.openInNewBrowser = null
|
windowAsAny.openInNewBrowser = null
|
||||||
})
|
})
|
||||||
|
|
|
@ -113,7 +113,7 @@ class Utils {
|
||||||
// HACKHACK: Somehow, marked doesn't encode angle brackets
|
// HACKHACK: Somehow, marked doesn't encode angle brackets
|
||||||
const renderer = new marked.Renderer()
|
const renderer = new marked.Renderer()
|
||||||
if ((window as any).openInNewBrowser) {
|
if ((window as any).openInNewBrowser) {
|
||||||
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser('${encodeURI(href || '')}');">${contents}</a>`
|
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser("${encodeURI(href || '')}");">${contents}</a>`
|
||||||
}
|
}
|
||||||
const html = marked(text.replace(/</g, '<'), {renderer, breaks: true})
|
const html = marked(text.replace(/</g, '<'), {renderer, breaks: true})
|
||||||
return html.trim()
|
return html.trim()
|
||||||
|
|
Loading…
Reference in a new issue