add comment about metascraper untrusted input, sanitize HTML

fix #14066 Test Plan: follow test plan in #13114 to make sure there are no regressions
brave · May 8, 2018 · 94b507c · 94b507c
1 parent 7cc4ea4
commit 94b507c
Show file tree

Hide file tree

Showing 3 changed files with 3,844 additions and 3,814 deletions.
diff --git a/app/extensions/brave/content/scripts/requestHandler.js b/app/extensions/brave/content/scripts/requestHandler.js
@@ -7,6 +7,21 @@ const ipc = chrome.ipcRenderer
 ipc.send('got-background-page-webcontents')
 const domParser = new DOMParser()
 
+/**
+ * Takes a string and sanitizes it for HTML.
+ * This doesn't defend against other forms of code injection (for instance
+ * interpreting the input as js), so the input should still be considered
+ * untrusted.
+ * @param {string} input
+ * @returns {string}
+ */
+const sanitizeHtml = (input) => {
+  if (typeof input !== 'string') {
+    return ''
+  }
+  return input.replace(/([\s\n]*<[^>]*>[\s\n]*)+/g, ' ')
+}
+
 ipc.on('fetch-publisher-info', (e, url, options) => {
   let finalUrl = url
   window.fetch(url, options).then((response) => {
@@ -43,9 +58,9 @@ const requestHandlerApi = {
         error: null,
         body: {
           url: finalUrl,
-          title: result.title || '',
-          image: result.image || '',
-          author: result.author || ''
+          title: sanitizeHtml(result.title) || '',
+          image: sanitizeHtml(result.image) || '',
+          author: sanitizeHtml(result.author) || ''
         }
       })
     } catch (err) {
@@ -73,7 +88,7 @@ const requestHandlerApi = {
     }
 
     const html = (node.outerHTML || new XMLSerializer().serializeToString(node)) || ''
-    return html.replace(/([\s\n]*<[^>]*>[\s\n]*)+/g, ' ')
+    return sanitizeHtml(html)
   },
 
   urlCheck: (url) => {

diff --git a/js/lib/request.js b/js/lib/request.js
@@ -101,6 +101,8 @@ module.exports.requestDataFile = (url, headers, path, reject, resolve) => {
  * Fetches url, title, and image for a publishers site (Youtube, Twitch, etc.)
  * See
  * https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch
+ * WARNING: the output of this function is untrusted. You should be careful not
+ *  to execute it as code!
  * @param {string} url - url to fetch
  * @param {Object} options - options to pass to window.fetch
  * @param {Function({url: string, title: string, image: string, error: string})} callback