From 164fe21d186829ea91ef379bc526b3644075499f Mon Sep 17 00:00:00 2001 From: Tilman Vatteroth Date: Sun, 21 Aug 2022 21:57:52 +0200 Subject: [PATCH] Replace embedding shortcode regexes with more specific ones to safeguard against xss attacks Signed-off-by: Tilman Vatteroth --- public/docs/release-notes.md | 1 + public/js/extra.js | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md index 8a2529ded..3e959e963 100644 --- a/public/docs/release-notes.md +++ b/public/docs/release-notes.md @@ -3,6 +3,7 @@ ### Enhancements - Add dark mode toggle in mobile view +- Replace embedding shortcode regexes with more specific ones to safeguard against xss attacks ### Bugfixes - Fix a crash when using LDAP authentication with custom search attributes (thanks to [@aboettger-tuhh](https://github.com/aboettger-tuhh) for reporting) diff --git a/public/js/extra.js b/public/js/extra.js index e9011082c..d104b7072 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -1119,7 +1119,7 @@ md.renderer.rules.fence = (tokens, idx, options, env, self) => { // youtube const youtubePlugin = new Plugin( // regexp to match - /{%youtube\s*([\d\D]*?)\s*%}/, + /{%youtube\s*([\w-]{11})\s*%}/, (match, utils) => { const videoid = match[1] @@ -1137,7 +1137,7 @@ const youtubePlugin = new Plugin( // vimeo const vimeoPlugin = new Plugin( // regexp to match - /{%vimeo\s*([\d\D]*?)\s*%}/, + /{%vimeo\s*(\d{6,11})\s*%}/, (match, utils) => { const videoid = match[1] @@ -1152,7 +1152,7 @@ const vimeoPlugin = new Plugin( // gist const gistPlugin = new Plugin( // regexp to match - /{%gist\s*([\d\D]*?)\s*%}/, + /{%gist\s*(\w+\/\w+)\s*%}/, (match, utils) => { const gistid = match[1] @@ -1170,7 +1170,7 @@ const tocPlugin = new Plugin( // slideshare const slidesharePlugin = new Plugin( // regexp to match - /{%slideshare\s*([\d\D]*?)\s*%}/, + /{%slideshare\s*(\w+\/[\w-]+)\s*%}/, (match, utils) => { const slideshareid = match[1] @@ -1182,7 +1182,7 @@ const slidesharePlugin = new Plugin( // speakerdeck const speakerdeckPlugin = new Plugin( // regexp to match - /{%speakerdeck\s*([\d\D]*?)\s*%}/, + /{%speakerdeck\s*(\w+\/[\w-]+)\s*%}/, (match, utils) => { const speakerdeckid = match[1]