From b3ab096c3fb09f562927a1582c7ce7020a0976bf Mon Sep 17 00:00:00 2001 From: Arthur Briginets Date: Wed, 24 Mar 2021 17:07:52 +0200 Subject: [PATCH 1/5] fix(cve-2020-28458): updated package datatables.net-bs to use sub-dep datatables.net 1.10.22 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 35f9512c4..055e707ce 100644 --- a/package.json +++ b/package.json @@ -93,7 +93,7 @@ "chartist-plugin-zoom": "0.6.0", "core-js": "2.4.1", "datatables": "1.10.18", - "datatables.net-bs": "1.10.20", + "datatables.net-bs": "^1.10.22", "datatables.net-responsive": "2.2.3", "eonasdan-bootstrap-datetimepicker": "4.17.47", "es6-shim": "0.35.5", From 87c2f436f8796eb15fa69ef4154bbbe7675e3b83 Mon Sep 17 00:00:00 2001 From: Arthur Briginets Date: Wed, 24 Mar 2021 17:38:17 +0200 Subject: [PATCH 2/5] fix(cve-2020-28458): replaced datatables 1.10.18 by datatables.net 1.10.22 --- config.angular.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config.angular.json b/config.angular.json index bb9dcad54..5893ab364 100644 --- a/config.angular.json +++ b/config.angular.json @@ -36,7 +36,7 @@ "node_modules/eonasdan-bootstrap-datetimepicker/src/js/bootstrap-datetimepicker.js", "node_modules/nouislider/distribute/nouislider.min.js", "node_modules/bootstrap-select/dist/js/bootstrap-select.js", - "node_modules/datatables/media/js/jquery.dataTables.js", + "node_modules/datatables.net/js/jquery.dataTables.js", "node_modules/datatables.net-bs/js/dataTables.bootstrap.js", "node_modules/datatables.net-responsive/js/dataTables.responsive.js", "node_modules/bootstrap-tagsinput/dist/bootstrap-tagsinput.js", @@ -116,7 +116,7 @@ "node_modules/eonasdan-bootstrap-datetimepicker/src/js/bootstrap-datetimepicker.js", "node_modules/nouislider/distribute/nouislider.min.js", "node_modules/bootstrap-select/dist/js/bootstrap-select.js", - "node_modules/datatables/media/js/jquery.dataTables.js", + "node_modules/datatables.net/js/jquery.dataTables.js", "node_modules/datatables.net-bs/js/dataTables.bootstrap.js", "node_modules/datatables.net-responsive/js/dataTables.responsive.js", "node_modules/bootstrap-tagsinput/dist/bootstrap-tagsinput.js", diff --git a/package.json b/package.json index 055e707ce..d5430fe24 100644 --- a/package.json +++ b/package.json @@ -92,7 +92,7 @@ "chartist": "0.11.4", "chartist-plugin-zoom": "0.6.0", "core-js": "2.4.1", - "datatables": "1.10.18", + "datatables.net": "^1.10.22", "datatables.net-bs": "^1.10.22", "datatables.net-responsive": "2.2.3", "eonasdan-bootstrap-datetimepicker": "4.17.47", From ec056a2b1599e0d7ba76047ba52bf5021d25ac8d Mon Sep 17 00:00:00 2001 From: Arthur Briginets Date: Fri, 26 Mar 2021 13:31:23 +0200 Subject: [PATCH 3/5] fix(CVE-2018-19057): fixed simplemde editor XSS via an onerror attribute of a crafted IMG element --- .../widgets/ext-md-editor/ext-md-editor.component.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts b/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts index 509fdd96f..72ab0b8ad 100644 --- a/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts +++ b/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts @@ -19,6 +19,12 @@ export class ExtMdEditorComponent implements OnInit { promptURLs: true, spellChecker: false, showIcons: ['code', 'table'], + previewRender: (plainText, preview) => { + setTimeout(() => { + preview.innerHTML = this._textEditor.simpleMDE.markdown(plainText); + this._textEditor.writeValue(plainText.replace(/onerror=/ig, '')); + }); + } }; @ViewChild('mdEditor', {static: false}) private _textEditor: TdTextEditorComponent; From 265f95cb13b54117a7455efb8306125df8173c39 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Mar 2021 11:52:47 +0000 Subject: [PATCH 4/5] Autoincrement project version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d5430fe24..0fb75c9b0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xm-webapp", - "version": "2.0.36", + "version": "2.0.37", "private": true, "description": "Xm-webapp", "homepage": "https://github.com/xm-online/xm-webapp", From 4de59d468957bc04dc14cfd81218f5600f47cfae Mon Sep 17 00:00:00 2001 From: Arthur Briginets Date: Fri, 26 Mar 2021 15:19:40 +0200 Subject: [PATCH 5/5] fix(CVE-2018-19057): updated XSS fix --- .../ext-md-editor/ext-md-editor.component.ts | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts b/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts index 72ab0b8ad..f00d966e3 100644 --- a/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts +++ b/src/app/shared/jsf-extention/widgets/ext-md-editor/ext-md-editor.component.ts @@ -2,6 +2,8 @@ import { Component, Input, OnInit, ViewChild } from '@angular/core'; import { TdTextEditorComponent } from '@covalent/text-editor'; import { JsonSchemaFormService } from 'angular2-json-schema-form'; +declare const $: any; + @Component({ selector: 'xm-ext-md-editor-widget', templateUrl: 'ext-md-editor.component.html', @@ -21,8 +23,15 @@ export class ExtMdEditorComponent implements OnInit { showIcons: ['code', 'table'], previewRender: (plainText, preview) => { setTimeout(() => { - preview.innerHTML = this._textEditor.simpleMDE.markdown(plainText); - this._textEditor.writeValue(plainText.replace(/onerror=/ig, '')); + // for correct parsing in any cases we need to wrap plain text to root tag + if ($($.parseHTML(`
${plainText}
`)).find('img[onerror]').length > 0) { + // this fix need for security issue: https://github.com/sparksuite/simplemde-markdown-editor/issues/721 + const errorText = 'onerror handler is not supported'; + preview.innerHTML = errorText; + this._textEditor.writeValue(errorText); + } else { + preview.innerHTML = this._textEditor.simpleMDE.markdown(plainText); + } }); } };