YourSelfHosted/memos
1
0
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-06-05 22:09:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

chore: add escape to prevent XSS (#833)

Browse Source
This commit is contained in:
boojack
2022-12-23 19:17:33 +08:00
committed by GitHub
parent c07b4a57ca
commit 65cc19c12e
6 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/components/SearchBar.tsx
View File

@@ -38,7 +38,7 @@ const SearchBar = () => {
useEffect(() => { useEffect(() => {
const text = locationStore.getState().query.text; const text = locationStore.getState().query.text;
setQueryText(text === undefined ? "" : text); setQueryText(text === undefined ? "" : text);
}, [locationStore.getState().query.text]); }, [locationStore.state.query.text]);
const handleMemoTypeItemClick = (type: MemoSpecType | undefined) => { const handleMemoTypeItemClick = (type: MemoSpecType | undefined) => {
const { type: prevType } = locationStore.getState().query ?? {}; const { type: prevType } = locationStore.getState().query ?? {};

8
web/src/labs/highlighter/index.ts
View File

@@ -1,6 +1,4 @@
const escapeRegExp = (str: string): string => { import { escape } from "lodash";
return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
};
const walkthroughNodeWithKeyword = (node: HTMLElement, keyword: string) => { const walkthroughNodeWithKeyword = (node: HTMLElement, keyword: string) => {
if (node.nodeType === 3) { if (node.nodeType === 3) {
@@ -19,8 +17,8 @@ export const highlightWithWord = (html: string, keyword?: string): string => {
if (!keyword) { if (!keyword) {
return html; return html;
} }
keyword = escapeRegExp(keyword); keyword = escape(keyword);
const wrap = document.createElement("div"); const wrap = document.createElement("div");
wrap.innerHTML = html; wrap.innerHTML = escape(html);
return walkthroughNodeWithKeyword(wrap, keyword); return walkthroughNodeWithKeyword(wrap, keyword);
}; };

3
web/src/labs/marked/parser/Bold.ts
View File

@@ -1,3 +1,4 @@
import { escape } from "lodash";
import { marked } from ".."; import { marked } from "..";
import Link from "./Link"; import Link from "./Link";
@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
return rawStr; return rawStr;
} }
const parsedContent = marked(matchResult[1], [], [Link]); const parsedContent = marked(escape(matchResult[1]), [], [Link]);
return `<strong>${parsedContent}</strong>`; return `<strong>${parsedContent}</strong>`;
}; };

3
web/src/labs/marked/parser/BoldEmphasis.ts
View File

@@ -1,3 +1,4 @@
import { escape } from "lodash";
import { marked } from ".."; import { marked } from "..";
import Link from "./Link"; import Link from "./Link";
@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
return rawStr; return rawStr;
} }
const parsedContent = marked(matchResult[1], [], [Link]); const parsedContent = marked(escape(matchResult[1]), [], [Link]);
return `<strong><em>${parsedContent}</em></strong>`; return `<strong><em>${parsedContent}</em></strong>`;
}; };

3
web/src/labs/marked/parser/Emphasis.ts
View File

@@ -1,3 +1,4 @@
import { escape } from "lodash";
import { marked } from ".."; import { marked } from "..";
import Link from "./Link"; import Link from "./Link";
@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
return rawStr; return rawStr;
} }
const parsedContent = marked(matchResult[1], [], [Link]); const parsedContent = marked(escape(matchResult[1]), [], [Link]);
return `<em>${parsedContent}</em>`; return `<em>${parsedContent}</em>`;
}; };

2
web/src/labs/marked/parser/Link.ts
View File

@@ -17,7 +17,7 @@ const renderer = (rawStr: string): string => {
if (!matchResult) { if (!matchResult) {
return rawStr; return rawStr;
} }
const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold]); const parsedContent = marked(escape(matchResult[1]), [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
return `<a class='link' target='_blank' rel='noreferrer' href='${escape(matchResult[2])}'>${parsedContent}</a>`; return `<a class='link' target='_blank' rel='noreferrer' href='${escape(matchResult[2])}'>${parsedContent}</a>`;
}; };