Skip to content

Commit

Permalink
Desktop, Mobile: Filter out form elements from note body to prevent p…
Browse files Browse the repository at this point in the history
…otential XSS (thanks to Dmytro Vdovychinskiy for the PoC)
  • Loading branch information
laurent22 committed Jun 11, 2021
1 parent af9f3ee commit feaecf7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion packages/renderer/htmlUtils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ class HtmlUtils {
// "link" can be used to escape the parser and inject JavaScript.
// Adding "meta" too for the same reason as it shouldn't be used in
// notes anyway.
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript'];
const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed', 'link', 'meta', 'noscript', 'button', 'form', 'input', 'select', 'textarea', 'option', 'optgroup'];

This comment has been minimized.

Copy link
@chinskiy

chinskiy Aug 3, 2021

CVE-2021-37916

sanitizeHtml method in Joplin desktop allows HTML tags with JavaScript attributes that give the possibility to execute arbitrary JavaScript code from the note body.

The vulnerability was fixed in 2.0.9 by extending disallowedTags array


const parser = new htmlparser2.Parser({

Expand Down

0 comments on commit feaecf7

Please sign in to comment.