Merge pull request #1768 from nextcloud/fix/Stored-HTML-Injection-in-Nextcloud-Notes-Markdown-Preview-via-Unescaped-Image-Alt-Text

fix(files): Apply HTML escaping to all user-controlled input before сoncatenating it into HTML

Author: max-nextcloud

src/Util.js

@@ -66,3 +66,9 @@ export const getDefaultSampleNote = () => {
 > ` + t('notes', 'Nextcloud, a safe home for all your data') + `
 `
 }
+
+export const escapeHtml = (str) => {
+	const element = document.createElement('div')
+	element.textContent = str
+	return element.innerHTML
+}

src/components/EditorMarkdownIt.vue

@@ -11,6 +11,7 @@
 
 import MarkdownIt from 'markdown-it'
 import { generateUrl } from '@nextcloud/router'
+import { escapeHtml } from '../Util.js'
 
 export default {
 	name: 'EditorMarkdownIt',
@@ -145,7 +146,10 @@ export default {
 
 				if (download) {
 					const dlimgpath = generateUrl('svg/core/actions/download?color=ffffff')
-					return '<div class="download-file"><a href="' + path.replace(/"/g, '&quot;') + '"><div class="download-icon"><img class="download-icon-inner" src="' + dlimgpath + '">' + token.content + '</div></a></div>'
+					const tokenContent = escapeHtml(token.content)
+					return '<div class="download-file"><a href="' + path.replace(/"/g, '&quot;') + '"><div class="download-icon"><img class="download-icon-inner" '
+						+ 'src="' + dlimgpath + '">'
+						+ tokenContent + '</div></a></div>'
 				} else {
 					// pass token to default renderer.
 					return defaultRender(tokens, idx, options, env, self)