fix: prevent HTML injections to code blocks (#1165)

2023-01-15 12:48:22 +02:00 · 2023-01-15 12:48:22 +02:00 · c15df78cbb
commit c15df78cbb
parent 1a4fd19720
5 changed files with 88 additions and 25 deletions
--- a/tests/content-rich.test.ts
+++ b/tests/content-rich.test.ts
@ -136,6 +136,39 @@ describe('content-rich', () => {
      "
    `)
  })
+
+  it ('block with injected html, without language', async () => {
+    const { formatted } = await render(`
+      <pre>
+        <code>
+          &lt;a href="javascript:alert(1)">click me&lt;/a>
+        </code>
+      </pre>
+    `)
+    expect(formatted).toMatchSnapshot()
+  })
+
+  it ('block with injected html, with an unknown language', async () => {
+    const { formatted } = await render(`
+      <pre>
+        <code class="language-xyzzy">
+          &lt;a href="javascript:alert(1)">click me&lt;/a>
+        </code>
+      </pre>
+    `)
+    expect(formatted).toMatchSnapshot()
+  })
+
+  it ('block with injected html, with a known language', async () => {
+    const { formatted } = await render(`
+      <pre>
+        <code class="language-js">
+          &lt;a href="javascript:alert(1)">click me&lt;/a>
+        </code>
+      </pre>
+    `)
+    expect(formatted).toMatchSnapshot()
+  })
 })

 async function render(content: string, options?: ContentParseOptions) {
@ -173,23 +206,11 @@ vi.mock('~/composables/dialog.ts', () => {
  return {}
 })

-vi.mock('~/components/content/ContentCode.vue', () => {
+vi.mock('shiki-es', async (importOriginal) => {
+  const mod = await importOriginal()
  return {
-    default: defineComponent({
-      props: {
-        code: {
-          type: String,
-          required: true,
-        },
-        lang: {
-          type: String,
-        },
-      },
-      setup(props) {
-        const raw = computed(() => decodeURIComponent(props.code).replace(/&#39;/g, '\''))
-        return () => h('pre', { lang: props.lang }, raw.value)
-      },
-    }),
+    ...(mod as any),
+    setCDN() {},
  }
 })