Fixing MM-36062 another detail

This commit is contained in:
Jesús Espino 2021-06-18 16:46:57 +02:00
parent edc3eb7e8f
commit d7442739b5
2 changed files with 2 additions and 2 deletions

View file

@ -29,7 +29,7 @@ describe('utils', () => {
test('should not allow XSS on links href on the desktop app', () => {
const windowAsAny = window as any
windowAsAny.openInNewBrowser = () => null
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(&quot;%22xss-attack=%22true%22other=%22whatever&quot;);"></a></p>'
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"></a></p>'
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml)
windowAsAny.openInNewBrowser = null
})

View file

@ -113,7 +113,7 @@ class Utils {
// HACKHACK: Somehow, marked doesn't encode angle brackets
const renderer = new marked.Renderer()
if ((window as any).openInNewBrowser) {
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(&quot;${encodeURI(href || '')}&quot;);">${contents}</a>`
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);">${contents}</a>`
}
const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true})
return html.trim()