escaping html in the notes field

app/scripts/comp/format/kdbx-to-html.js

@@ -47,8 +47,8 @@ function walkEntry(db, entry, parents) {
             let html = false;
             if (field.markdown && AppSettingsModel.useMarkdown) {
                 const converted = MdToHtml.convert(value);
-                if (converted !== value) {
-                    value = converted;
+                if (converted.html) {
+                    value = converted.html;
                     html = true;
                 }
             }

app/scripts/util/formatting/md-to-html.js

@@ -21,10 +21,10 @@ const MdToHtml = {
         const htmlWithoutLineBreaks = html.replace(whiteSpaceRegex, '');
         const mdWithoutLineBreaks = md.replace(whiteSpaceRegex, '');
         if (htmlWithoutLineBreaks === mdWithoutLineBreaks) {
-            return md;
+            return { text: md };
         } else {
             const sanitized = dompurify.sanitize(html, { ADD_ATTR: ['target'] });
-            return `<div class="markdown">${sanitized}</div>`;
+            return { html: `<div class="markdown">${sanitized}</div>` };
         }
     }
 };

app/scripts/views/fields/field-view-text.js

@@ -24,7 +24,11 @@ class FieldViewText extends FieldView {
             if (value && value.isProtected) {
                 value = value.getText();
             }
-            return MdToHtml.convert(value);
+            const converted = MdToHtml.convert(value);
+            if (converted.html) {
+                return converted.html;
+            }
+            value = converted.text;
         }
         return value && value.isProtected
             ? PasswordPresenter.presentValueWithLineBreaks(value)

release-notes.md

@@ -2,6 +2,7 @@ Release notes
 -------------
 ##### v1.14.0 (TBD)
 `+` using OAuth authorization code grant for all storage providers  
+`-` fixed a number of vulnerabilities in opening untrusted kdbx files  
 
 ##### v1.13.4 (2020-04-15)
 `-` fix #1457: fixed styles in theme plugins  

test/src/util/formatting/md-to-html.js

@@ -3,20 +3,21 @@ import { MdToHtml } from 'util/formatting/md-to-html';
 
 describe('MdToHtml', () => {
     it('should convert markdown', () => {
-        expect(MdToHtml.convert('## head\n_italic_')).to.eql(
-            '<div class="markdown"><h2>head</h2>\n<p><em>italic</em></p>\n</div>'
-        );
+        expect(MdToHtml.convert('## head\n_italic_')).to.eql({
+            html: '<div class="markdown"><h2>head</h2>\n<p><em>italic</em></p>\n</div>'
+        });
     });
 
     it('should not add markdown wrapper tags for plaintext', () => {
-        expect(MdToHtml.convert('plain\ntext')).to.eql('plain\ntext');
+        expect(MdToHtml.convert('plain\ntext')).to.eql({ text: 'plain\ntext' });
     });
 
     it('should convert links', () => {
-        expect(MdToHtml.convert('[link](https://x)')).to.eql(
-            '<div class="markdown">' +
+        expect(MdToHtml.convert('[link](https://x)')).to.eql({
+            html:
+                '<div class="markdown">' +
                 '<p><a href="https://x" rel="noreferrer noopener" target="_blank">link</a></p>\n' +
                 '</div>'
-        );
+        });
     });
 });