improve logo escaping (#3511)

* escape logo in make-badge

* 2.2.1 release notes

* tighten up validation of logo param
This commit is contained in:
chris48s
2019-05-30 18:28:37 +01:00
committed by GitHub
parent 829971f0ef
commit 98f380b254
5 changed files with 25 additions and 4 deletions

View File

@@ -1,5 +1,6 @@
'use strict'
const Joi = require('joi')
const { toSvgColor } = require('../gh-badges/lib/color')
const coalesce = require('../core/base-service/coalesce')
const { svg2base64 } = require('./svg-helpers')
@@ -31,7 +32,12 @@ function prependPrefix(s, prefix) {
}
function isDataUrl(s) {
return s !== undefined && /^(data:)([^;]+);([^,]+),(.+)$/.test(s)
try {
Joi.assert(s, Joi.string().dataUri())
return true
} catch (e) {
return false
}
}
// +'s are replaced with spaces when used in query params, this returns them

View File

@@ -19,8 +19,16 @@ describe('Logo helpers', function() {
})
test(isDataUrl, () => {
//valid input
given('data:image/svg+xml;base64,PHN2ZyB4bWxu').expect(true)
// invalid inputs
forCases([given('data:foobar'), given('foobar')]).expect(false)
// attempted XSS attack
given(
'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+P+/HgAFhAJ/wlseKgAAAABJRU5ErkJggg=="/><script>alert()</script>'
).expect(false)
})
test(prepareNamedLogo, () => {