Fix security related problems (#1522)

* Remove unnecessary capture group from regex

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

* Rename component to make name more expressive

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

* Remove redundant expression

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

* Filter vbscript links

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

* Remove superfluous parameter

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

* Check if handler is set

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

* Fix doc

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

src/components/common/routing/note-direct-link-redirector.tsx

@@ -15,9 +15,12 @@ interface RouteParameters {
   id: string
 }
 
-export const Redirector: React.FC = () => {
+/**
+ * Redirects the user to the editor if the link is a root level direct link to a version 1 note.
+ */
+export const NoteDirectLinkRedirector: React.FC = () => {
   const { id } = useParams<RouteParameters>()
-  const [error, setError] = useState<boolean | null>(null)
+  const [error, setError] = useState<boolean | undefined>(undefined)
 
   useEffect(() => {
     getNote(id)
@@ -25,9 +28,9 @@ export const Redirector: React.FC = () => {
       .catch(() => setError(true))
   }, [id])
 
-  if (error) {
+  if (error === true) {
     return <NotFoundErrorScreen />
-  } else if (!error && error != null) {
+  } else if (error === false) {
     return <Redirect to={`/n/${id}`} />
   } else {
     return <span>Loading</span>

src/components/editor-page/editor-pane/autocompletion/code-block.ts

@@ -12,7 +12,7 @@ import { Logger } from '../../../../utils/logger'
 type highlightJsImport = typeof import('../../../common/hljs/hljs')
 
 const log = new Logger('Autocompletion > CodeBlock')
-const wordRegExp = /^```((\w|-|_|\+)*)$/
+const wordRegExp = /^```((?:\w|-|_|\+)*)$/
 let allSupportedLanguages: string[] = []
 
 /**

src/components/editor-page/editor-pane/autocompletion/container.ts

@@ -8,7 +8,7 @@ import { Editor, Hint, Hints, Pos } from 'codemirror'
 import { validAlertLevels } from '../../../markdown-renderer/markdown-it-plugins/alert-container'
 import { findWordAtCursor, Hinter } from './index'
 
-const wordRegExp = /^:::((\w|-|_|\+)*)$/
+const wordRegExp = /^:::((?:\w|-|_|\+)*)$/
 const spoilerSuggestion: Hint = {
   text: ':::spoiler Toggle label\nToggled content\n::: \n',
   displayText: 'spoiler'

src/components/markdown-renderer/replace-components/link-replacer/link-replacer.tsx

@@ -36,7 +36,7 @@ export class LinkReplacer extends ComponentReplacer {
     const url = node.attribs.href.trim()
 
     // eslint-disable-next-line no-script-url
-    if (url.startsWith('data:') || url.startsWith('javascript:')) {
+    if (url.startsWith('data:') || url.startsWith('javascript:') || url.startsWith('vbscript:')) {
       return <span>{node.attribs.href}</span>
     }
 

src/components/markdown-renderer/utils/html-react-transformer.tsx

@@ -96,7 +96,7 @@ export const buildTransformer = (
       return convertNodeToReactElement(node, index)
     }
     const nativeRenderer: NativeRenderer = () => renderNativeNode(node, key, transform)
-    const subNodeTransform: SubNodeTransform = (subNode, subKey) => transform(subNode, subKey, transform)
+    const subNodeTransform: SubNodeTransform = (subNode, subKey) => transform(subNode, subKey)
 
     const key = calculateKeyFromLineMarker(node, lineKeys) ?? (-index).toString()
     const tryReplacement = findNodeReplacement(node, allReplacers, subNodeTransform, nativeRenderer)

src/components/render-page/window-post-message-communicator/window-post-message-communicator.ts

@@ -121,6 +121,9 @@ export abstract class WindowPostMessageCommunicator<
   protected handleEvent(event: MessageEvent<PostMessage<RECEIVE_TYPE>>): boolean | undefined {
     const data = event.data
 
+    if (!(data.type in this.handlers)) {
+      return true
+    }
     const handler = this.handlers[data.type]
     if (!handler) {
       return true