From 2ff4d0fa4be6c981e35e0a8451c1cbb617b7c0a6 Mon Sep 17 00:00:00 2001 From: Paulus Schoutsen Date: Fri, 6 Sep 2019 17:36:28 -0700 Subject: [PATCH] Do not allow SVG by default (#3640) --- src/auth/ha-auth-flow.ts | 1 + src/components/ha-markdown.ts | 17 +++++++++++----- .../config-flow/show-dialog-config-flow.ts | 8 ++++---- .../config-flow/show-dialog-options-flow.ts | 2 +- .../profile/ha-mfa-module-setup-flow.js | 2 ++ src/resources/markdown_worker.ts | 20 +++++++++++++++---- 6 files changed, 36 insertions(+), 14 deletions(-) diff --git a/src/auth/ha-auth-flow.ts b/src/auth/ha-auth-flow.ts index 902c2a8e07..4799fbc155 100644 --- a/src/auth/ha-auth-flow.ts +++ b/src/auth/ha-auth-flow.ts @@ -96,6 +96,7 @@ class HaAuthFlow extends litLocalizeLiteMixin(LitElement) { return html` ${this.localize("ui.panel.page-authorize.abort_intro")}: + ` : ""; }, @@ -64,7 +64,7 @@ export const showConfigFlowDialog = ( ); return description ? html` - + ` : ""; }, @@ -102,7 +102,7 @@ export const showConfigFlowDialog = (

${description ? html` - + ` : ""} `; @@ -119,7 +119,7 @@ export const showConfigFlowDialog = ( return html` ${description ? html` - + ` : ""}

Created config for ${step.title}.

diff --git a/src/dialogs/config-flow/show-dialog-options-flow.ts b/src/dialogs/config-flow/show-dialog-options-flow.ts index 740b364fbf..7720e1cea6 100644 --- a/src/dialogs/config-flow/show-dialog-options-flow.ts +++ b/src/dialogs/config-flow/show-dialog-options-flow.ts @@ -39,7 +39,7 @@ export const showOptionsFlowDialog = ( return description ? html` - + ` : ""; }, diff --git a/src/panels/profile/ha-mfa-module-setup-flow.js b/src/panels/profile/ha-mfa-module-setup-flow.js index 8139c87e3f..df25be0133 100644 --- a/src/panels/profile/ha-mfa-module-setup-flow.js +++ b/src/panels/profile/ha-mfa-module-setup-flow.js @@ -73,6 +73,7 @@ class HaMfaModuleSetupFlow extends LocalizeMixin(EventsMixin(PolymerElement)) { diff --git a/src/resources/markdown_worker.ts b/src/resources/markdown_worker.ts index 9c45e697f7..ec06680ce0 100644 --- a/src/resources/markdown_worker.ts +++ b/src/resources/markdown_worker.ts @@ -2,9 +2,21 @@ import marked from "marked"; // @ts-ignore import filterXSS from "xss"; -export const renderMarkdown = (content: string, markedOptions: object) => +const allowedSvgTags = ["svg", "path"]; + +const allowedTag = (tag: string) => tag === "ha-icon"; + +export const renderMarkdown = ( + content: string, + markedOptions: object, + hassOptions: { + // Do not allow SVG on untrusted content, it allows XSS. + allowSvg?: boolean; + } = {} +) => filterXSS(marked(content, markedOptions), { - onIgnoreTag(tag, html) { - return ["svg", "path", "ha-icon"].indexOf(tag) !== -1 ? html : null; - }, + onIgnoreTag: hassOptions.allowSvg + ? (tag, html) => + allowedTag(tag) || allowedSvgTags.includes(tag) ? html : null + : (tag, html) => (allowedTag(tag) ? html : null), });