From 796207e2a045f5b32c593207a8f014fcc127418d Mon Sep 17 00:00:00 2001 From: ewelinagr Date: Wed, 24 Apr 2024 10:44:32 +0200 Subject: [PATCH] Remove code for special decoding of webdav response. decodeHTMLEntities seems not to be needed and it introduces vulnerability: "DOM text reinterpreted as HTML" - CWE-79, CWE-116 --- projects/mercury/src/file/FileAPI.js | 15 +-------------- projects/mercury/src/file/fileUtils.js | 6 ------ 2 files changed, 1 insertion(+), 20 deletions(-) diff --git a/projects/mercury/src/file/FileAPI.js b/projects/mercury/src/file/FileAPI.js index e16975d93..1302fca97 100644 --- a/projects/mercury/src/file/FileAPI.js +++ b/projects/mercury/src/file/FileAPI.js @@ -2,14 +2,7 @@ import {createClient} from 'webdav'; import qs from 'qs'; import {compareBy, comparing} from '../common/utils/genericUtils'; // eslint-disable-next-line import/no-cycle -import { - decodeHTMLEntities, - encodePath, - generateUniqueFileName, - getFileName, - joinPaths, - joinPathsAvoidEmpty -} from './fileUtils'; +import {encodePath, generateUniqueFileName, getFileName, joinPaths, joinPathsAvoidEmpty} from './fileUtils'; import {handleHttpError} from '../common/utils/httpUtils'; // Ensure that the client passes along the credentials @@ -479,12 +472,6 @@ class FileAPI { mapToFile = fileObject => { const properties = {...fileObject, ...(fileObject.props || {})}; delete properties.props; - Object.keys(properties).forEach(key => { - // The WebDAV client does not properly decode the XML response, - // so we need to do that here - const value = properties[key]; - properties[key] = typeof value === 'string' ? decodeHTMLEntities(value) : value; - }); return properties; }; } diff --git a/projects/mercury/src/file/fileUtils.js b/projects/mercury/src/file/fileUtils.js index baaaa18f9..216936406 100644 --- a/projects/mercury/src/file/fileUtils.js +++ b/projects/mercury/src/file/fileUtils.js @@ -137,12 +137,6 @@ export function generateUniqueFileName(fileName, usedNames = []) { return newName; } -export const decodeHTMLEntities = (htmlSource: string) => { - const element = document.createElement('textarea'); - element.innerHTML = htmlSource; - return element.textContent; -}; - export const isUnsafeFileName = fileName => NON_SAFE_FILE_NAMES.includes(fileName); export const fileNameContainsInvalidCharacter = fileName =>