fix(xss): fixed double escaping (#894)

Lumieducation · Nov 5, 2020 · 9d37f70 · 9d37f70
1 parent aad59b0
commit 9d37f70
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/src/SemanticsEnforcer.ts b/src/SemanticsEnforcer.ts
@@ -1,5 +1,5 @@
 import sanitizeHtml from 'sanitize-html';
-import { escape } from 'html-escaper';
+import { escape, unescape } from 'html-escaper';
 
 import { ContentScanner } from './ContentScanner';
 import LibraryManager from './LibraryManager';
@@ -242,7 +242,9 @@ export default class SemanticsEnforcer {
         } else {
             log.debug('Filtering out all HTML tags');
             // Escape all HTML tags if the field doesn't allow HTML in general.
-            newText = escape(newText);
+            // We avoid double escaping like &amp; becoming &amp;amp; by
+            // unescaping first.
+            newText = escape(unescape(newText));
         }
 
         // Check if string has the required length

diff --git a/test/SemanticsEnforcer.text.test.ts b/test/SemanticsEnforcer.text.test.ts
@@ -97,6 +97,14 @@ describe('SemanticsEnforcer', () => {
         await compare('Hello world!', 'Hello world!');
     });
 
+    it("doesn't escape already escaped text.", async () => {
+        await compare('Hello &amp; world!', 'Hello &amp; world!');
+    });
+
+    it('escapes dangerous characters in simple text', async () => {
+        await compare('Hello & world!', 'Hello &amp; world!');
+    });
+
     it("strips html tags from text that doesn't allow html", async () => {
         await compare(
             '<script>alert("Danger!");</script>Hello world!',