Desktop: Security: Fixes XSS in GotoAnything dialog

laurent22 · Jun 30, 2022 · e797ebb · e797ebb
1 parent f99b8df
commit e797ebb
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/packages/lib/string-utils.js b/packages/lib/string-utils.js
@@ -1,3 +1,5 @@
+const Entities = require('html-entities').AllHtmlEntities;
+const htmlentities = new Entities().encode;
 const stringUtilsCommon = require('./string-utils-common.js');
 
 const defaultDiacriticsRemovalMap = [
@@ -294,16 +296,25 @@ function escapeHtml(s) {
 // keywords can either be a list of strings, or a list of objects with the format:
 // { value: 'actualkeyword', type: 'regex/string' }
 // The function surrounds the keywords wherever they are, even within other words.
-function surroundKeywords(keywords, text, prefix, suffix) {
+function surroundKeywords(keywords, text, prefix, suffix, options = null) {
+	options = Object.assign({}, {
+		escapeHtml: false,
+	}, options);
+
 	if (!keywords.length) return text;
 
+	function escapeHtml(s) {
+		if (!options.escapeHtml) return s;
+		return htmlentities(s);
+	}
+
 	let regexString = keywords
 		.map(k => {
 			if (k.type === 'regex') {
-				return stringUtilsCommon.replaceRegexDiacritics(k.valueRegex);
+				return escapeHtml(stringUtilsCommon.replaceRegexDiacritics(k.valueRegex));
 			} else {
 				const value = typeof k === 'string' ? k : k.value;
-				return stringUtilsCommon.replaceRegexDiacritics(stringUtilsCommon.pregQuote(value));
+				return escapeHtml(stringUtilsCommon.replaceRegexDiacritics(stringUtilsCommon.pregQuote(value)));
 			}
 		})
 		.join('|');