fix: XSS vulnerabilities

yan42685 · Oct 24, 2024 · 3d3c913 · 3d3c913
1 parent 5114abe
commit 3d3c913
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 4 deletions.
diff --git a/manifest.json b/manifest.json
@@ -3,7 +3,7 @@
 	"name": "Clever Search",
 	"author": "Alex Clifton",
 	"description": "Helping you quickly locate the notes in your mind in the easiest way, without the need for complex search syntax to find relevant content.",
-	"version": "0.2.10",
+	"version": "0.2.11",
 	"minAppVersion": "0.15.0",
     "fundingUrl": "https://www.buymeacoffee.com/alexclifton",
 	"isDesktopOnly": true

diff --git a/package.json b/package.json
@@ -21,6 +21,7 @@
 		"@codemirror/view": "^6.22.3",
 		"@jest/globals": "^29.7.0",
 		"@tsconfig/svelte": "^3.0.0",
+		"@types/dompurify": "^3.0.5",
 		"@types/jest": "^29.5.11",
 		"@types/node": "^16.11.6",
 		"@types/throttle-debounce": "^5.0.2",
@@ -42,6 +43,7 @@
 	},
 	"dependencies": {
 		"dexie": "^3.2.4",
+		"dompurify": "^3.1.7",
 		"franc-min": "^6.1.0",
 		"fzf": "^0.5.2",
 		"jieba-wasm": "^0.0.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/ui/MountedModal.svelte b/src/ui/MountedModal.svelte
@@ -233,7 +233,7 @@
 						}}
 					>
 						{#if item instanceof LineItem}
-							<span class="line-item">{@html item.line.text}</span
+							<span class="line-item">{@html viewHelper.purifyHTML(item.line.text)}</span
 							>
 						{:else if item instanceof FileItem}
 							<span class="file-item">
@@ -260,7 +260,7 @@
 				{#if searchType === SearchType.IN_FILE}
 					{#if currContext}
 						<p on:contextmenu={(e) => handleConfirm(e)} on:dblclick={(e) => handleConfirm(e)}>
-							{@html currContext}
+							{@html viewHelper.purifyHTML(currContext)}
 						</p>
 					{/if}
 				{:else if searchType === SearchType.IN_VAULT}
@@ -282,7 +282,7 @@
 									class:selected={index === currSubItemIndex}
 									class="file-sub-item"
 								>
-									{@html subItem.text}
+									{@html viewHelper.purifyHTML(subItem.text)}
 								</button>
 							{/each}
 						</ul>

diff --git a/src/ui/view-helper.ts b/src/ui/view-helper.ts
@@ -16,13 +16,20 @@ import { SemanticEngine } from "src/services/search/semantic-engine";
 import { logger } from "src/utils/logger";
 import { getInstance } from "src/utils/my-lib";
 import { singleton } from "tsyringe";
+// TODO: When DOMPurify 3.1.8 is released, remove @types/dompurify due to an unreleased PR: https://github.com/cure53/DOMPurify/pull/1006
+import DOMPurify from "dompurify";
 
 @singleton()
 export class ViewHelper {
 	private readonly app = getInstance(App);
 	private readonly privateApi = getInstance(PrivateApi);
 	private readonly setting = getInstance(OuterSetting);
 
+	// avoid XSS
+	purifyHTML(rawHtml: string): string {
+		return DOMPurify.sanitize(rawHtml, { USE_PROFILES: { html: true } });
+	}
+
 	updateSubItemIndex(
 		subItems: FileSubItem[],
 		currSubIndex: number,