Fix critical autoLink security issue

moviepilot · Dec 28, 2012 · 34ebe36 · 34ebe36
1 parent 920fdb4
commit 34ebe36
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 2 deletions.
diff --git a/src/dom/auto_link.js b/src/dom/auto_link.js
@@ -85,11 +85,12 @@
    */
   function _wrapMatchesInNode(textNode) {
     var parentNode  = textNode.parentNode,
+        nodeValue   = wysihtml5.lang.string(textNode.data).escapeHTML(),
         tempElement = _getTempElement(parentNode.ownerDocument);
 
     // We need to insert an empty/temporary <span /> to fix IE quirks
     // Elsewise IE would strip white space in the beginning
-    tempElement.innerHTML = "<span></span>" + _convertUrlsToLinks(textNode.data);
+    tempElement.innerHTML = "<span></span>" + _convertUrlsToLinks(nodeValue);
     tempElement.removeChild(tempElement.firstChild);
 
     while (tempElement.firstChild) {

diff --git a/src/lang/string.js b/src/lang/string.js
@@ -1,6 +1,13 @@
 (function() {
   var WHITE_SPACE_START = /^\s+/,
-      WHITE_SPACE_END   = /\s+$/;
+      WHITE_SPACE_END   = /\s+$/,
+      ENTITY_REG_EXP    = /[&<>"]/g,
+      ENTITY_MAP = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': "&quot;"
+      };
   wysihtml5.lang.string = function(str) {
     str = String(str);
     return {
@@ -36,6 +43,15 @@
             return str.split(search).join(replace);
           }
         };
+      },
+
+      /**
+       * @example
+       *    wysihtml5.lang.string("hello<br>").escapeHTML();
+       *    // => "hello&lt;br&gt;"
+       */
+      escapeHTML: function() {
+        return str.replace(ENTITY_REG_EXP, function(c) { return ENTITY_MAP[c]; });
       }
     };
   };

diff --git a/test/dom/auto_link_test.js b/test/dom/auto_link_test.js
@@ -102,4 +102,10 @@ test("Basic test", function() {
     " <a href=\"http://www.google.de\">http://www.google.de</a>",
     "Check if white space in front of url is preserved"
   );
+
+  this.equal(
+    this.autoLink("&lt;b&gt;foo&lt;/b&gt; http://www.google.de"),
+    "&lt;b&gt;foo&lt;/b&gt; <a href=\"http://www.google.de\">http://www.google.de</a>",
+    "Check if plain HTML markup isn't evaluated"
+  );
 });
diff --git a/test/lang/string_test.js b/test/lang/string_test.js
@@ -16,4 +16,8 @@ test("replace()", function() {
     wysihtml5.lang.string("I LOVE CAKE").replace("CAKE").by("BOOBS"),
     "I LOVE BOOBS"
   );
+});
+
+test("escapeHTML()", function() {
+  equal(wysihtml5.lang.string('&<>"').escapeHTML(), "&amp;&lt;&gt;&quot;");
 });