chore: be more explicit on what HTML we allow when escaping

This commit is contained in:
Yohan Boniface 2024-05-01 16:22:49 +02:00
parent 200ee6ea10
commit fedb083612
2 changed files with 23 additions and 2 deletions

View file

@ -70,7 +70,6 @@ export default function getPurify() {
export function escapeHTML(s) { export function escapeHTML(s) {
s = s ? s.toString() : '' s = s ? s.toString() : ''
s = getPurify().sanitize(s, { s = getPurify().sanitize(s, {
USE_PROFILES: { html: true },
ADD_TAGS: ['iframe'], ADD_TAGS: ['iframe'],
ALLOWED_TAGS: [ ALLOWED_TAGS: [
'h3', 'h3',
@ -86,9 +85,10 @@ export function escapeHTML(s) {
'iframe', 'iframe',
'img', 'img',
'br', 'br',
'span',
], ],
ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'], ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
ALLOWED_ATTR: ['href', 'src', 'width', 'height'], ALLOWED_ATTR: ['href', 'src', 'width', 'height', 'style'],
// Added: `geo:` URL scheme as defined in RFC5870: // Added: `geo:` URL scheme as defined in RFC5870:
// https://www.rfc-editor.org/rfc/rfc5870.html // https://www.rfc-editor.org/rfc/rfc5870.html
// The base RegExp comes from: // The base RegExp comes from:

View file

@ -45,3 +45,24 @@ def test_create_map_with_cursor(page, live_server, tilelayer):
"z-index: 200;" "z-index: 200;"
), ),
) )
def test_cannot_put_script_tag_in_datalayer_name_or_description(
openmap, live_server, page, tilelayer
):
page.goto(f"{live_server.url}{openmap.get_absolute_url()}")
page.get_by_role("button", name="Edit").click()
page.get_by_role("link", name="Manage layers").click()
page.get_by_role("button", name="Add a layer").click()
page.locator('input[name="name"]').click()
page.locator('input[name="name"]').fill('<script>alert("attack")</script>')
page.locator(".umap-field-description textarea").click()
page.locator(".umap-field-description textarea").fill(
'<p>before <script>alert("attack")</script> after</p>'
)
page.get_by_role("button", name="Save").click()
page.get_by_role("button", name="About").click()
# Title should contain raw HTML (we are using textContent)
expect(page.get_by_text('<script>alert("attack")</script>')).to_be_visible()
# Description should contain escaped HTML
expect(page.get_by_text("before after")).to_be_visible()