From 2ff4d0fa4be6c981e35e0a8451c1cbb617b7c0a6 Mon Sep 17 00:00:00 2001
From: Paulus Schoutsen
Date: Fri, 6 Sep 2019 17:36:28 -0700
Subject: [PATCH] Do not allow SVG by default (#3640)
---
src/auth/ha-auth-flow.ts | 1 +
src/components/ha-markdown.ts | 17 +++++++++++-----
.../config-flow/show-dialog-config-flow.ts | 8 ++++----
.../config-flow/show-dialog-options-flow.ts | 2 +-
.../profile/ha-mfa-module-setup-flow.js | 2 ++
src/resources/markdown_worker.ts | 20 +++++++++++++++----
6 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/src/auth/ha-auth-flow.ts b/src/auth/ha-auth-flow.ts
index 902c2a8e07..4799fbc155 100644
--- a/src/auth/ha-auth-flow.ts
+++ b/src/auth/ha-auth-flow.ts
@@ -96,6 +96,7 @@ class HaAuthFlow extends litLocalizeLiteMixin(LitElement) {
return html`
${this.localize("ui.panel.page-authorize.abort_intro")}:
+
`
: "";
},
@@ -64,7 +64,7 @@ export const showConfigFlowDialog = (
);
return description
? html`
-
+
`
: "";
},
@@ -102,7 +102,7 @@ export const showConfigFlowDialog = (
${description
? html`
-
+
`
: ""}
`;
@@ -119,7 +119,7 @@ export const showConfigFlowDialog = (
return html`
${description
? html`
-
+
`
: ""}
Created config for ${step.title}.
diff --git a/src/dialogs/config-flow/show-dialog-options-flow.ts b/src/dialogs/config-flow/show-dialog-options-flow.ts
index 740b364fbf..7720e1cea6 100644
--- a/src/dialogs/config-flow/show-dialog-options-flow.ts
+++ b/src/dialogs/config-flow/show-dialog-options-flow.ts
@@ -39,7 +39,7 @@ export const showOptionsFlowDialog = (
return description
? html`
-
+
`
: "";
},
diff --git a/src/panels/profile/ha-mfa-module-setup-flow.js b/src/panels/profile/ha-mfa-module-setup-flow.js
index 8139c87e3f..df25be0133 100644
--- a/src/panels/profile/ha-mfa-module-setup-flow.js
+++ b/src/panels/profile/ha-mfa-module-setup-flow.js
@@ -73,6 +73,7 @@ class HaMfaModuleSetupFlow extends LocalizeMixin(EventsMixin(PolymerElement)) {
@@ -90,6 +91,7 @@ class HaMfaModuleSetupFlow extends LocalizeMixin(EventsMixin(PolymerElement)) {
if="[[_computeStepDescription(localize, _step)]]"
>
diff --git a/src/resources/markdown_worker.ts b/src/resources/markdown_worker.ts
index 9c45e697f7..ec06680ce0 100644
--- a/src/resources/markdown_worker.ts
+++ b/src/resources/markdown_worker.ts
@@ -2,9 +2,21 @@ import marked from "marked";
// @ts-ignore
import filterXSS from "xss";
-export const renderMarkdown = (content: string, markedOptions: object) =>
+const allowedSvgTags = ["svg", "path"];
+
+const allowedTag = (tag: string) => tag === "ha-icon";
+
+export const renderMarkdown = (
+ content: string,
+ markedOptions: object,
+ hassOptions: {
+ // Do not allow SVG on untrusted content, it allows XSS.
+ allowSvg?: boolean;
+ } = {}
+) =>
filterXSS(marked(content, markedOptions), {
- onIgnoreTag(tag, html) {
- return ["svg", "path", "ha-icon"].indexOf(tag) !== -1 ? html : null;
- },
+ onIgnoreTag: hassOptions.allowSvg
+ ? (tag, html) =>
+ allowedTag(tag) || allowedSvgTags.includes(tag) ? html : null
+ : (tag, html) => (allowedTag(tag) ? html : null),
});