diff --git a/app/scripts/comp/format/kdbx-to-html.js b/app/scripts/comp/format/kdbx-to-html.js index 960e2a02..b0a654f3 100644 --- a/app/scripts/comp/format/kdbx-to-html.js +++ b/app/scripts/comp/format/kdbx-to-html.js @@ -47,8 +47,8 @@ function walkEntry(db, entry, parents) { let html = false; if (field.markdown && AppSettingsModel.useMarkdown) { const converted = MdToHtml.convert(value); - if (converted !== value) { - value = converted; + if (converted.html) { + value = converted.html; html = true; } } diff --git a/app/scripts/util/formatting/md-to-html.js b/app/scripts/util/formatting/md-to-html.js index a6b5b950..fdcd0681 100644 --- a/app/scripts/util/formatting/md-to-html.js +++ b/app/scripts/util/formatting/md-to-html.js @@ -21,10 +21,10 @@ const MdToHtml = { const htmlWithoutLineBreaks = html.replace(whiteSpaceRegex, ''); const mdWithoutLineBreaks = md.replace(whiteSpaceRegex, ''); if (htmlWithoutLineBreaks === mdWithoutLineBreaks) { - return md; + return { text: md }; } else { const sanitized = dompurify.sanitize(html, { ADD_ATTR: ['target'] }); - return `
${sanitized}
`; + return { html: `
${sanitized}
` }; } } }; diff --git a/app/scripts/views/fields/field-view-text.js b/app/scripts/views/fields/field-view-text.js index c8a3a81c..d7643dd7 100644 --- a/app/scripts/views/fields/field-view-text.js +++ b/app/scripts/views/fields/field-view-text.js @@ -24,7 +24,11 @@ class FieldViewText extends FieldView { if (value && value.isProtected) { value = value.getText(); } - return MdToHtml.convert(value); + const converted = MdToHtml.convert(value); + if (converted.html) { + return converted.html; + } + value = converted.text; } return value && value.isProtected ? PasswordPresenter.presentValueWithLineBreaks(value) diff --git a/release-notes.md b/release-notes.md index afdd9a62..c3af2e5d 100644 --- a/release-notes.md +++ b/release-notes.md @@ -2,6 +2,7 @@ Release notes ------------- ##### v1.14.0 (TBD) `+` using OAuth authorization code grant for all storage providers +`-` fixed a number of vulnerabilities in opening untrusted kdbx files ##### v1.13.4 (2020-04-15) `-` fix #1457: fixed styles in theme plugins diff --git a/test/src/util/formatting/md-to-html.js b/test/src/util/formatting/md-to-html.js index 28bea140..dcbed84a 100644 --- a/test/src/util/formatting/md-to-html.js +++ b/test/src/util/formatting/md-to-html.js @@ -3,20 +3,21 @@ import { MdToHtml } from 'util/formatting/md-to-html'; describe('MdToHtml', () => { it('should convert markdown', () => { - expect(MdToHtml.convert('## head\n_italic_')).to.eql( - '

head

\n

italic

\n
' - ); + expect(MdToHtml.convert('## head\n_italic_')).to.eql({ + html: '

head

\n

italic

\n
' + }); }); it('should not add markdown wrapper tags for plaintext', () => { - expect(MdToHtml.convert('plain\ntext')).to.eql('plain\ntext'); + expect(MdToHtml.convert('plain\ntext')).to.eql({ text: 'plain\ntext' }); }); it('should convert links', () => { - expect(MdToHtml.convert('[link](https://x)')).to.eql( - '
' + + expect(MdToHtml.convert('[link](https://x)')).to.eql({ + html: + '
' + '

link

\n' + '
' - ); + }); }); });