Desktop,Mobile: Security: Improve comment escaping (#11706)

laurent22 · Jan 23, 2025 · 2a058ed · 2a058ed
1 parent d621e63
commit 2a058ed
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/packages/app-cli/tests/md_to_html/sanitize_21.md b/packages/app-cli/tests/md_to_html/sanitize_21.md
@@ -1 +1 @@
-Should keep this comment: <!-- keep this &amp; that -->
+Should keep this comment: <!-- keep this & that -->
diff --git a/packages/app-cli/tests/md_to_html/sanitize_23.html b/packages/app-cli/tests/md_to_html/sanitize_23.html
@@ -0,0 +1 @@
+<math class="jop-noMdConv"><p class="jop-noMdConv"><style class="jop-noMdConv"><!--&lt;/style&gt;&lt;img src onerror=alert(1)&gt;--></style>
diff --git a/packages/app-cli/tests/md_to_html/sanitize_23.md b/packages/app-cli/tests/md_to_html/sanitize_23.md
@@ -0,0 +1 @@
+<math><p><style><!--</style><img src onerror=alert(1)>--></style>
diff --git a/packages/renderer/htmlUtils.ts b/packages/renderer/htmlUtils.ts
@@ -260,8 +260,10 @@ class HtmlUtils {
 
 		const parser = new htmlparser2.Parser({
 
-			oncomment: (encodedData: string) => {
-				output.push(`<!--${encodedData}-->`);
+			oncomment: (data: string) => {
+				// Ensure that <s and >s are escaped within comments. In some cases,
+				// these characters can end a comment early (e.g. <style><!--</style>-->)
+				output.push(`<!--${htmlentities(data)}-->`);
 			},
 
 			onopentag: (name: string, attrs: Record<string, string>) => {
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		Should keep this comment: <!-- keep this & that -->
		Should keep this comment: <!-- keep this & that -->
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<math class="jop-noMdConv"><p class="jop-noMdConv"><style class="jop-noMdConv"><!--</style><img src onerror=alert(1)>--></style>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<math><p><style><!--</style><img src onerror=alert(1)>--></style>