Escape text from custom transformTags functions.

This makes custom tag transformations less error-prone. Prior to this patch, tag transformations which turned an attribute value into a text node could be vulnerable to code execution. The operative change prevents any Frame's innerText from specifying tag tokens.
apostrophecms · Aug 11, 2017 · 0fe551c · 0fe551c
1 parent fb89a71
commit 0fe551c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -192,7 +192,7 @@ function sanitizeHtml(html, options, _recursing) {
       } else {
         result += ">";
         if (frame.innerText && !hasText && !options.textFilter) {
-          result += frame.innerText;
+          result += escapeHtml(frame.innerText);
         }
       }
     },

diff --git a/test/test.js b/test/test.js
@@ -532,4 +532,28 @@ describe('sanitizeHtml', function() {
       '<a href="/welcome">test</a>'
     );
   });
+  it('text from transformTags should not specify tags', function() {
+    var input = '<input value="&lt;script&gt;alert(1)&lt;/script&gt;">';
+    var want = '<u class="inlined-input">&lt;script&gt;alert(1)&lt;/script&gt;</u>';
+    // Runs the sanitizer with a policy that turns an attribute into
+    // text.  A policy like this might be used to turn inputs into
+    // inline elements that look like the original but which do not
+    // affect form submissions.
+    var got = sanitizeHtml(
+        input,
+        {
+          allowedTags: [ 'u' ],
+          allowedAttributes: { '*': ['class'] },
+          transformTags: {
+            input: function (tagName, attribs) {
+              return {
+                tagName: 'u',
+                attribs: { class: 'inlined-input' },
+                text: attribs.value
+              };
+            }
+          }
+        });
+    assert.equal(got, want);
+  });
 });