- Security fix/Breaking change (Imagelib): Require allowedImageLibOrigins
config array be set with safe origins or otherwise reject `postMessage` messages in case from untrusted sources - Security fix/Breaking change (xdomain): Namespace xdomain file to avoid it being used to modify non-xdomain storage - Security fix (Imagelib): Expose `dropXMLInternalSubset` to extensions for preventing billion laughs attack (and use in Imagelib)
This commit is contained in:
Brett Zamir
@@ -102,6 +102,17 @@ export const init = function (editorContext) {
|
||||
svgroot_ = editorContext.getSVGRoot();
|
||||
};
|
||||
|
||||
/**
|
||||
* Used to prevent the [Billion laughs attack]{@link https://en.wikipedia.org/wiki/Billion_laughs_attack}
|
||||
* @function module:utilities.dropXMLInteralSubset
|
||||
* @param {string} str String to be processed
|
||||
* @returns {string} The string with entity declarations in the internal subset removed
|
||||
* @todo This might be needed in other places `parseFromString` is used even without LGTM flagging
|
||||
*/
|
||||
export const dropXMLInteralSubset = (str) => {
|
||||
return str.replace(/(<!DOCTYPE\s+\w*\s*\[).*(\?\]>)/, '$1$2');
|
||||
};
|
||||
|
||||
/**
|
||||
* Converts characters in a string to XML-friendly entities.
|
||||
* @function module:utilities.toXml
|
||||
|
||||
Reference in New Issue
Block a user