Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-27 11:46:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix JVN#15385465: CWE-79 XSS, that affected WeKan 7.94.

Browse source 
Thanks to Sho Sugiyama and xet7 !
This commit is contained in:
Lauri Ojansivu 2025-10-11 04:47:17 +03:00
parent 746eecf3d8
commit 81c3dc1d95
3 changed files with 134 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

33
packages/markdown/src/secureDOMPurify.js
View file

@ -51,14 +51,37 @@ export function getSecureDOMPurifyConfig() {
return false;
}
// Block img tags with SVG data URIs
// Block img tags with SVG data URIs that could contain malicious JavaScript
if (node.tagName && node.tagName.toLowerCase() === 'img') {
const src = node.getAttribute('src');
if (src && (src.startsWith('data:image/svg') || src.endsWith('.svg'))) {
if (process.env.DEBUG === 'true') {
console.warn('Blocked potentially malicious SVG image:', src);
if (src) {
// Block all SVG data URIs to prevent XSS via embedded JavaScript
if (src.startsWith('data:image/svg') || src.endsWith('.svg')) {
if (process.env.DEBUG === 'true') {
console.warn('Blocked potentially malicious SVG image:', src);
}
return false;
}
// Additional check for base64 encoded SVG with script tags
if (src.startsWith('data:image/svg+xml;base64,')) {
try {
const base64Content = src.split(',')[1];
const decodedContent = atob(base64Content);
if (decodedContent.includes('<script') || decodedContent.includes('javascript:')) {
if (process.env.DEBUG === 'true') {
console.warn('Blocked SVG with embedded JavaScript:', src.substring(0, 100) + '...');
}
return false;
}
} catch (e) {
// If decoding fails, block it as a safety measure
if (process.env.DEBUG === 'true') {
console.warn('Blocked malformed SVG data URI:', src);
}
return false;
}
}
return false;
}
}