From ac321d0c1a7c356b0ce6c25c988fba1492a80738 Mon Sep 17 00:00:00 2001 From: Matthew Petroff Date: Tue, 26 Nov 2019 12:47:12 -0500 Subject: [PATCH] Extend XSS vulnerability fix. --- src/js/pannellum.js | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/src/js/pannellum.js b/src/js/pannellum.js index ba02214..aa2b2fd 100644 --- a/src/js/pannellum.js +++ b/src/js/pannellum.js @@ -2382,12 +2382,17 @@ function escapeHTML(s) { * @returns {string} Sanitized URL */ function sanitizeURL(url, href) { - if (url.trim().toLowerCase().indexOf('javascript:') === 0 || - url.trim().toLowerCase().indexOf('vbscript:') === 0) { + try { + var decoded_url = decodeURIComponent(unescape(url)).replace(/[^\w:]/g, '').toLowerCase(); + } catch (e) { + return 'about:blank'; + } + if (decoded_url.indexOf('javascript:') === 0 || + decoded_url.indexOf('vbscript:') === 0) { console.log('Script URL removed.'); return 'about:blank'; } - if (href && url.trim().toLowerCase().indexOf('data:') === 0) { + if (href && decoded_url.indexOf('data:') === 0) { console.log('Data URI removed from link.'); return 'about:blank'; } @@ -2395,6 +2400,28 @@ function sanitizeURL(url, href) { } /** + * Unescapes HTML entities. + * Copied from Marked.js 0.7.0. + * @private + * @param {string} url - URL to sanitize + * @param {boolean} href - True if URL is for link (blocks data URIs) + * @returns {string} Sanitized URL + */ +function unescape(html) { + // Explicitly match decimal, hex, and named HTML entities + return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/ig, function(_, n) { + n = n.toLowerCase(); + if (n === 'colon') return ':'; + if (n.charAt(0) === '#') { + return n.charAt(1) === 'x' + ? String.fromCharCode(parseInt(n.substring(2), 16)) + : String.fromCharCode(+n.substring(1)); + } + return ''; + }); +} + +/** * Removes possibility of XSS atacks with URLs for CSS. * The URL will be sanitized with `sanitizeURL()` and single quotes * and double quotes escaped.