diff --git a/app/src/config/bazaar.ts b/app/src/config/bazaar.ts index d17f220e6..66c18317a 100644 --- a/app/src/config/bazaar.ts +++ b/app/src/config/bazaar.ts @@ -12,7 +12,7 @@ import {setStorageVal, writeText} from "../protyle/util/compatibility"; import {hasClosestByAttribute, hasClosestByClassName} from "../protyle/util/hasClosest"; import {Plugin} from "../plugin"; import {App} from "../index"; -import {escapeAttr} from "../util/escape"; +import {escapeAttr, escapeHtml} from "../util/escape"; import {uninstall} from "../plugin/uninstall"; import {afterLoadPlugin, loadPlugin, loadPlugins} from "../plugin/loader"; import {useShell} from "../util/pathName"; @@ -235,7 +235,10 @@ export const bazaar = { return ""; } try { - new URL(funding); + const url = new URL(funding); + if (!["http:", "https:", "mailto:"].includes(url.protocol)) { + throw new Error("not an allowed URL protocol"); + } return ``; } catch (e) { return ``; @@ -272,7 +275,7 @@ export const bazaar = {
- ${item.preferredName} + ${escapeHtml(item.preferredName)}
${item.preferredDesc || ""}
@@ -319,7 +322,7 @@ export const bazaar = {
- ${item.preferredName} + ${escapeHtml(item.preferredName)}
${item.preferredDesc || ""}
@@ -428,7 +431,7 @@ export const bazaar = {
- ${item.preferredName} + ${escapeHtml(item.preferredName)}
${item.preferredDesc || ""}
@@ -521,11 +524,11 @@ type="checkbox">
- ${data.preferredName} + ${escapeHtml(data.preferredName)}
- ${data.name} + ${escapeHtml(data.name)}
@@ -539,7 +542,7 @@ type="checkbox">
-
${window.siyuan.languages.currentVer}
v${data.version}
+
${window.siyuan.languages.currentVer}
v${escapeHtml(data.version)}
${downloaded ? window.siyuan.languages.installDate : window.siyuan.languages.releaseDate}
${downloaded ? data.hInstallDate : data.hUpdated}
diff --git a/kernel/bazaar/package.go b/kernel/bazaar/package.go index b3814ceca..c360a2a6a 100644 --- a/kernel/bazaar/package.go +++ b/kernel/bazaar/package.go @@ -131,18 +131,31 @@ func ParsePackageJSON(filePath string) (ret *Package, err error) { return } -// sanitizePackageDisplayStrings 对集市包直接显示的信息做 HTML 转义,避免 XSS。 +// sanitizePackageDisplayStrings 对集市包可能直接显示的信息做 HTML 转义,避免 XSS。 func sanitizePackageDisplayStrings(pkg *Package) { if pkg == nil { return } + pkg.Name = html.EscapeString(pkg.Name) pkg.Author = html.EscapeString(pkg.Author) + pkg.Version = html.EscapeString(pkg.Version) for k, v := range pkg.DisplayName { pkg.DisplayName[k] = html.EscapeString(v) } for k, v := range pkg.Description { pkg.Description[k] = html.EscapeString(v) } + if pkg.Funding != nil { + pkg.Funding.OpenCollective = html.EscapeString(pkg.Funding.OpenCollective) + pkg.Funding.Patreon = html.EscapeString(pkg.Funding.Patreon) + pkg.Funding.GitHub = html.EscapeString(pkg.Funding.GitHub) + for i, v := range pkg.Funding.Custom { + pkg.Funding.Custom[i] = html.EscapeString(v) + } + } + for i, kw := range pkg.Keywords { + pkg.Keywords[i] = html.EscapeString(kw) + } } // GetPreferredLocaleString 从 LocaleStrings 中按当前语种取值,无则回退 default、en_US,再回退 fallback。 @@ -177,7 +190,11 @@ func getPreferredFunding(funding *Funding) string { return v } if 0 < len(funding.Custom) { - return funding.Custom[0] + v := funding.Custom[0] + if strings.HasPrefix(v, "https://") || strings.HasPrefix(v, "http://") || strings.HasPrefix(v, "mailto:") { + return v + } + return "" } return "" }