Unverified Commit 98f380b2 authored by chris48s's avatar chris48s Committed by GitHub
Browse files

improve logo escaping (#3511)

* escape logo in make-badge

* 2.2.1 release notes

* tighten up validation of logo param
parent 829971f0
# Changelog
## 2.2.0
## 2.2.1
### Fixes
- Escape logos to prevent XSS vulnerability
- Update docblock for BadgeFactory.create()
## 2.2.0 - 2019-05-29
### Deprecations
......
......@@ -173,7 +173,7 @@ module.exports = function makeBadge({
escapedText: text.map(escapeXml),
widths: [leftWidth + 10 + logoWidth + logoPadding, rightWidth + 10],
links: links.map(escapeXml),
logo,
logo: escapeXml(logo),
logoPosition,
logoWidth,
logoPadding,
......
{
"name": "gh-badges",
"version": "2.2.0",
"version": "2.2.1",
"description": "Shields.io badge library",
"keywords": [
"GitHub",
......
'use strict'
const Joi = require('joi')
const { toSvgColor } = require('../gh-badges/lib/color')
const coalesce = require('../core/base-service/coalesce')
const { svg2base64 } = require('./svg-helpers')
......@@ -31,7 +32,12 @@ function prependPrefix(s, prefix) {
}
function isDataUrl(s) {
return s !== undefined && /^(data:)([^;]+);([^,]+),(.+)$/.test(s)
try {
Joi.assert(s, Joi.string().dataUri())
return true
} catch (e) {
return false
}
}
// +'s are replaced with spaces when used in query params, this returns them
......
......@@ -19,8 +19,16 @@ describe('Logo helpers', function() {
})
test(isDataUrl, () => {
//valid input
given('data:image/svg+xml;base64,PHN2ZyB4bWxu').expect(true)
// invalid inputs
forCases([given('data:foobar'), given('foobar')]).expect(false)
// attempted XSS attack
given(
'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+P+/HgAFhAJ/wlseKgAAAABJRU5ErkJggg=="/><script>alert()</script>'
).expect(false)
})
test(prepareNamedLogo, () => {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment