Mirrors
/
matrix-public-archive
mirror of https://github.com/matrix-org/matrix-public-archive.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix XSS when blatting `window.matrixPublicArchiveContext` to the page (#79) 

Fix https://github.com/matrix-org/internal-config/issues/1335
This commit is contained in:
Eric Eastwood 2022-10-13 14:36:04 -05:00 committed by GitHub
parent ff315141fd
commit 2581f88495
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/hydrogen-render/render-hydrogen-to-string-unsafe.js
View File

@ -16,7 +16,9 @@ const vm = require('vm');
const path = require('path');
const { readFile } = require('fs').promises;
const crypto = require('crypto');
const { parseHTML } = require('linkedom');
const safeJson = require('../lib/safe-json');
// Setup the DOM context with any necessary shims/polyfills and ensure the VM
// context global has everything that a normal document does so Hydrogen can
@ -72,11 +74,12 @@ async function _renderHydrogenToStringUnsafe(renderOptions) {
...renderOptions.vmRenderContext,
};
// Serialize it for when we run this again client-side
const serializedContext = JSON.stringify(dom.window.matrixPublicArchiveContext);
dom.document.body.insertAdjacentHTML(
'beforeend',
`
<script type="text/javascript">
window.matrixPublicArchiveContext = ${JSON.stringify(dom.window.matrixPublicArchiveContext)}
window.matrixPublicArchiveContext = ${safeJson(serializedContext)}
</script>
`
);