diff --git a/app/scripts/comp/format/kdbx-to-html.js b/app/scripts/comp/format/kdbx-to-html.js
index 960e2a02..b0a654f3 100644
--- a/app/scripts/comp/format/kdbx-to-html.js
+++ b/app/scripts/comp/format/kdbx-to-html.js
@@ -47,8 +47,8 @@ function walkEntry(db, entry, parents) {
let html = false;
if (field.markdown && AppSettingsModel.useMarkdown) {
const converted = MdToHtml.convert(value);
- if (converted !== value) {
- value = converted;
+ if (converted.html) {
+ value = converted.html;
html = true;
}
}
diff --git a/app/scripts/util/formatting/md-to-html.js b/app/scripts/util/formatting/md-to-html.js
index a6b5b950..fdcd0681 100644
--- a/app/scripts/util/formatting/md-to-html.js
+++ b/app/scripts/util/formatting/md-to-html.js
@@ -21,10 +21,10 @@ const MdToHtml = {
const htmlWithoutLineBreaks = html.replace(whiteSpaceRegex, '');
const mdWithoutLineBreaks = md.replace(whiteSpaceRegex, '');
if (htmlWithoutLineBreaks === mdWithoutLineBreaks) {
- return md;
+ return { text: md };
} else {
const sanitized = dompurify.sanitize(html, { ADD_ATTR: ['target'] });
- return `
${sanitized}
`;
+ return { html: `${sanitized}
` };
}
}
};
diff --git a/app/scripts/views/fields/field-view-text.js b/app/scripts/views/fields/field-view-text.js
index c8a3a81c..d7643dd7 100644
--- a/app/scripts/views/fields/field-view-text.js
+++ b/app/scripts/views/fields/field-view-text.js
@@ -24,7 +24,11 @@ class FieldViewText extends FieldView {
if (value && value.isProtected) {
value = value.getText();
}
- return MdToHtml.convert(value);
+ const converted = MdToHtml.convert(value);
+ if (converted.html) {
+ return converted.html;
+ }
+ value = converted.text;
}
return value && value.isProtected
? PasswordPresenter.presentValueWithLineBreaks(value)
diff --git a/release-notes.md b/release-notes.md
index afdd9a62..c3af2e5d 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -2,6 +2,7 @@ Release notes
-------------
##### v1.14.0 (TBD)
`+` using OAuth authorization code grant for all storage providers
+`-` fixed a number of vulnerabilities in opening untrusted kdbx files
##### v1.13.4 (2020-04-15)
`-` fix #1457: fixed styles in theme plugins
diff --git a/test/src/util/formatting/md-to-html.js b/test/src/util/formatting/md-to-html.js
index 28bea140..dcbed84a 100644
--- a/test/src/util/formatting/md-to-html.js
+++ b/test/src/util/formatting/md-to-html.js
@@ -3,20 +3,21 @@ import { MdToHtml } from 'util/formatting/md-to-html';
describe('MdToHtml', () => {
it('should convert markdown', () => {
- expect(MdToHtml.convert('## head\n_italic_')).to.eql(
- ''
- );
+ expect(MdToHtml.convert('## head\n_italic_')).to.eql({
+ html: ''
+ });
});
it('should not add markdown wrapper tags for plaintext', () => {
- expect(MdToHtml.convert('plain\ntext')).to.eql('plain\ntext');
+ expect(MdToHtml.convert('plain\ntext')).to.eql({ text: 'plain\ntext' });
});
it('should convert links', () => {
- expect(MdToHtml.convert('[link](https://x)')).to.eql(
- '' +
+ expect(MdToHtml.convert('[link](https://x)')).to.eql({
+ html:
+ '
'
- );
+ });
});
});