sjw
/
pleroma-fe
mirror of https://git.pleroma.social/sjw/pleroma-fe.git
1
0
Fork 0
Code Issues Releases Wiki Activity

fix regex misinterpreting tag name in badly formed HTML, prevent rich 

content from ever using dangerous tags
This commit is contained in:
Henry Jameson 2023-06-05 21:49:47 +03:00
parent 22c3012e1c
commit 00b47e1673
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/components/rich_content/rich_content.jsx
View File

@ -149,7 +149,9 @@ export default {
// Handle tag nodes
if (Array.isArray(item)) {
const [opener, children, closer] = item
const Tag = getTagName(opener)
let Tag = getTagName(opener)
if (Tag === 'script') Tag = 'js-exploit'
if (Tag === 'style') Tag = 'css-exploit'
const fullAttrs = getAttrs(opener, () => true)
const attrs = getAttrs(opener)
const previouslyMentions = currentMentions !== null

2
src/services/html_converter/utility.service.js
View File

@ -5,7 +5,7 @@
* @return {String} - tagname, i.e. "div"
*/
export const getTagName = (tag) => {
const result = /(?:<\/(\w+)>|<(\w+)\s?.*?\/?>)/gi.exec(tag)
const result = /(?:<\/(\w+)>|<(\w+)\s?.*?\/?>)/gis.exec(tag)
return result && (result[1] || result[2])
}