Fixing MM-36062 extra detail

This commit is contained in:
Jesús Espino 2021-06-15 11:03:53 +02:00
parent d3b21dd05f
commit 22172be2cd
2 changed files with 2 additions and 2 deletions

View file

@ -29,7 +29,7 @@ describe('utils', () => {
test('should not allow XSS on links href on the desktop app', () => { test('should not allow XSS on links href on the desktop app', () => {
const windowAsAny = window as any const windowAsAny = window as any
windowAsAny.openInNewBrowser = () => null windowAsAny.openInNewBrowser = () => null
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(\'%22xss-attack=%22true%22other=%22whatever\');"></a></p>' const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(&quot;%22xss-attack=%22true%22other=%22whatever&quot;);"></a></p>'
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml) expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml)
windowAsAny.openInNewBrowser = null windowAsAny.openInNewBrowser = null
}) })

View file

@ -113,7 +113,7 @@ class Utils {
// HACKHACK: Somehow, marked doesn't encode angle brackets // HACKHACK: Somehow, marked doesn't encode angle brackets
const renderer = new marked.Renderer() const renderer = new marked.Renderer()
if ((window as any).openInNewBrowser) { if ((window as any).openInNewBrowser) {
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser('${encodeURI(href || '')}');">${contents}</a>` renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(&quot;${encodeURI(href || '')}&quot;);">${contents}</a>`
} }
const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true}) const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true})
return html.trim() return html.trim()