fix: fix journal entry xss vulnerability (#4451)

monicahq · Sep 12, 2020 · dfea6a4 · dfea6a4
1 parent 742aef7
commit dfea6a4
Show file tree

Hide file tree

Showing 10 changed files with 11 additions and 81 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,7 @@
 
 ### Fixes:
 
-*
+* Fix journal entry XSS vulnerability
 
 
 # RELEASED VERSIONS:

diff --git a/app/Models/Account/Activity.php b/app/Models/Account/Activity.php
@@ -2,7 +2,6 @@
 
 namespace App\Models\Account;
 
-use Parsedown;
 use App\Helpers\DateHelper;
 use App\Traits\Journalable;
 use App\Models\Contact\Contact;
@@ -100,20 +99,6 @@ public function emotions()
             ->withTimestamps();
     }
 
-    /**
-     * Return the markdown parsed body.
-     *
-     * @return string|null
-     */
-    public function getParsedContentAttribute(): ?string
-    {
-        if (is_null($this->description)) {
-            return null;
-        }
-
-        return (new Parsedown())->text($this->description);
-    }
-
     /**
      * Get the summary for this activity.
      *

diff --git a/app/Models/Contact/Call.php b/app/Models/Contact/Call.php
@@ -2,7 +2,6 @@
 
 namespace App\Models\Contact;
 
-use Parsedown;
 use App\Models\Account\Account;
 use App\Models\Instance\Emotion\Emotion;
 use App\Models\ModelBindingWithContact as Model;
@@ -76,18 +75,4 @@ public function emotions()
                     ->withPivot('account_id', 'contact_id')
                     ->withTimestamps();
     }
-
-    /**
-     * Return the markdown parsed body.
-     *
-     * @return string|null
-     */
-    public function getParsedContentAttribute(): ?string
-    {
-        if (is_null($this->content)) {
-            return null;
-        }
-
-        return (new Parsedown())->text($this->content);
-    }
 }
diff --git a/app/Models/Journal/Entry.php b/app/Models/Journal/Entry.php
@@ -2,7 +2,6 @@
 
 namespace App\Models\Journal;
 
-use Parsedown;
 use App\Helpers\DateHelper;
 use App\Traits\Journalable;
 use App\Models\Account\Account;
@@ -59,17 +58,6 @@ public function getDateAttribute($value)
         return $this->journalEntry ? $this->journalEntry->date : $this->created_at;
     }
 
-    /**
-     * Get the Entry post.
-     *
-     * @param  string  $value
-     * @return string
-     */
-    public function getPostAttribute($value)
-    {
-        return (new Parsedown())->text($value);
-    }
-
     /**
      * Get all the information of the Entry for the journal.
      * @return array

diff --git a/public/js/app.js b/public/js/app.js
diff --git a/public/mix-manifest.json b/public/mix-manifest.json
@@ -1,7 +1,7 @@
 {
     "/js/manifest.js": "/js/manifest.js?id=7db827d654313dce4250",
     "/js/vendor.js": "/js/vendor.js?id=30196262d2017b9a059e",
-    "/js/app.js": "/js/app.js?id=8ef019498e8903d4f072",
+    "/js/app.js": "/js/app.js?id=bff74b3baecd183e247b",
     "/css/app-ltr.css": "/css/app-ltr.css?id=3656924c5fce352ba736",
     "/css/app-rtl.css": "/css/app-rtl.css?id=8ee9e03a2fc4b4087b8a",
     "/css/stripe.css": "/css/stripe.css?id=746c8aaac01c56d3cee1",

diff --git a/resources/js/components/journal/partials/JournalContentEntry.vue b/resources/js/components/journal/partials/JournalContentEntry.vue
@@ -31,7 +31,7 @@
               {{ entry.title }}
             </h3>
 
-            <div dir="auto" class="markdown" v-html="entry.post"></div>
+            <span dir="auto" class="markdown" v-html="compiledMarkdown(entry.post)"></span>
 
             <ul class="f7">
               <li class="di">
@@ -89,6 +89,10 @@ export default {
         .then(response => {
           this.$emit('deleteJournalEntry', this.journalEntry.id);
         });
+    },
+
+    compiledMarkdown (text) {
+      return marked(text, { sanitize: true });
     }
   }
 };

diff --git a/tests/Api/ApiJournalTest.php b/tests/Api/ApiJournalTest.php
@@ -105,7 +105,7 @@ public function it_creates_a_journal_entry()
             'object' => 'entry',
             'id' => $entryId,
             'title' => 'my title',
-            'post' => '<p>content post</p>',
+            'post' => 'content post',
         ]);
 
         $this->assertGreaterThan(0, $entryId);
@@ -154,7 +154,7 @@ public function it_updates_a_journal_entry()
             'object' => 'entry',
             'id' => $entryId,
             'title' => 'my title',
-            'post' => '<p>content post</p>',
+            'post' => 'content post',
         ]);
 
         $this->assertGreaterThan(0, $entryId);

diff --git a/tests/Unit/Models/CallTest.php b/tests/Unit/Models/CallTest.php
diff --git a/tests/Unit/Models/EntryTest.php b/tests/Unit/Models/EntryTest.php
@@ -24,7 +24,7 @@ public function get_info_for_journal_entry()
             'type' => 'entry',
             'id' => 1,
             'title' => 'This is the title',
-            'post' => '<p>this is a post</p>',
+            'post' => 'this is a post',
             'day' => 1,
             'day_name' => 'Sun',
             'month' => 1,