fix(plugins): use textContent to protect against xss

Fdawgs · Apr 15, 2024 · f3328af · f3328af
1 parent 510541e
commit f3328af
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 14 deletions.
diff --git a/src/plugins/pdf-to-html/index.js b/src/plugins/pdf-to-html/index.js
@@ -164,7 +164,7 @@ async function plugin(server, options) {
 		 * Overwrite content of remaining title element with temp file id,
 		 * as Poppler reveals directory structure in title.
 		 */
-		titles[0].innerHTML = id;
+		titles[0].textContent = id;
 
 		/**
 		 * `fixUtf8` function replaces most common incorrectly converted

diff --git a/src/plugins/rtf-to-html/index.js b/src/plugins/rtf-to-html/index.js
@@ -119,7 +119,7 @@ async function plugin(server, options) {
 			meta.content = "text/html; charset=utf-8";
 			meta.httpEquiv = "content-type";
 			const title = dom.window.document.createElement("title");
-			title.innerHTML = id;
+			title.textContent = id;
 			dom.window.document.head.prepend(meta, title);
 
 			/**

diff --git a/src/plugins/tidy-css/index.js b/src/plugins/tidy-css/index.js
@@ -40,7 +40,7 @@ async function plugin(server) {
 		// Create style element inside head if none already exist
 		if (styles.length === 0 && (newFonts || newBackgroundColor)) {
 			const element = dom.window.document.createElement("style");
-			element.innerHTML = "div {}";
+			element.textContent = "div {}";
 			dom.window.document.head.append(element);
 
 			styles = dom.window.document.querySelectorAll("style");
@@ -49,11 +49,11 @@ async function plugin(server) {
 		// Combine style elements into single element
 		const combinedStyle = dom.window.document.createElement("style");
 		styles.forEach((style) => {
-			combinedStyle.innerHTML += style.innerHTML;
+			combinedStyle.textContent += style.textContent || "";
 			style.remove();
 		});
 
-		const styleObj = cssomParse(combinedStyle.innerHTML);
+		const styleObj = cssomParse(combinedStyle.textContent || "");
 
 		styleObj.cssRules.forEach((rule) => {
 			if (rule instanceof CSSStyleRule) {
@@ -112,10 +112,12 @@ async function plugin(server) {
 		 * Minifies output whilst also removing HTML comment tags
 		 * wrapping CSS, and redundant semi-colons, generated by Poppler.
 		 */
-		combinedStyle.innerHTML = cssCleaner.minify(styleObj.toString()).styles;
+		combinedStyle.textContent = cssCleaner.minify(
+			styleObj.toString()
+		).styles;
 
 		// Stop empty <style> element being added
-		if (combinedStyle.innerHTML !== "") {
+		if (combinedStyle.textContent !== "") {
 			dom.window.document.head.append(combinedStyle);
 		}
 

diff --git a/src/plugins/tidy-css/plugin.test.js b/src/plugins/tidy-css/plugin.test.js
@@ -112,13 +112,13 @@ describe("Tidy-CSS plugin", () => {
 		// Check CSS is combined into one style tag
 		expect(dom.window.document.querySelectorAll("style")).toHaveLength(1);
 		// Check font-family is set to expected value
-		expect(style?.innerHTML).toMatch(expected?.fonts || /./u);
+		expect(style?.textContent).toMatch(expected?.fonts || /./u);
 		// Check background-color is set to expected value
-		expect(style?.innerHTML).toMatch(expected?.backgroundColor || /./u);
+		expect(style?.textContent).toMatch(expected?.backgroundColor || /./u);
 		// Check page-break-inside is set to avoid
-		expect(style?.innerHTML).toMatch(/page-break-inside:avoid/u);
+		expect(style?.textContent).toMatch(/page-break-inside:avoid/u);
 		// Check CSS is tidied and minified
-		expect(style?.innerHTML).not.toMatch(/;\}|<!--|--!?>|\n|\r/u);
+		expect(style?.textContent).not.toMatch(/;\}|<!--|--!?>|\n|\r/u);
 		expect(response.statusCode).toBe(200);
 	});
 
@@ -146,7 +146,7 @@ describe("Tidy-CSS plugin", () => {
 		// Check CSS is combined into one style tag
 		expect(dom.window.document.querySelectorAll("style")).toHaveLength(1);
 		// Check CSS is tidied and minified
-		expect(style?.innerHTML).not.toMatch(/;\}|<!--|--!?>|\n|\r/u);
+		expect(style?.textContent).not.toMatch(/;\}|<!--|--!?>|\n|\r/u);
 		expect(response.statusCode).toBe(200);
 	});
 

diff --git a/src/plugins/tidy-html/index.js b/src/plugins/tidy-html/index.js
@@ -104,7 +104,7 @@ async function plugin(server) {
 
 			styles.forEach((style) => {
 				const styleElement = style;
-				const styleObj = cssomParse(styleElement.innerHTML);
+				const styleObj = cssomParse(styleElement.textContent || "");
 				const cssRulesLength = styleObj.cssRules.length;
 
 				// Iterate over CSS rules in reverse to avoid index issues
@@ -122,7 +122,7 @@ async function plugin(server) {
 					}
 				}
 
-				styleElement.innerHTML = styleObj.toString();
+				styleElement.textContent = styleObj.toString();
 			});
 
 			// Remove all elements that match the selectors