Bug fixed

・テキストエリアにおけるクロスサイトスクリプティング脆弱性の問題を解消。
Implem · May 24, 2023 · fd1a863 · fd1a863
1 parent a9f3c77
commit fd1a863
Show file tree

Hide file tree

Showing 12 changed files with 56 additions and 43 deletions.
diff --git a/Implem.CodeDefiner/Implem.CodeDefiner.csproj b/Implem.CodeDefiner/Implem.CodeDefiner.csproj
@@ -5,9 +5,9 @@
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
     <Description>This program does the automatic code creation and merging of existing code based on the definition. Also it will make the configuration change of sql server database.</Description>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
   </PropertyGroup>
 

diff --git a/Implem.DefinitionAccessor/Implem.DefinitionAccessor.csproj b/Implem.DefinitionAccessor/Implem.DefinitionAccessor.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Implem.DisplayAccessor/Implem.DisplayAccessor.csproj b/Implem.DisplayAccessor/Implem.DisplayAccessor.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Implem.Factory/Implem.Factory.csproj b/Implem.Factory/Implem.Factory.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Implem.Libraries/Implem.Libraries.csproj b/Implem.Libraries/Implem.Libraries.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Implem.ParameterAccessor/Implem.ParameterAccessor.csproj b/Implem.ParameterAccessor/Implem.ParameterAccessor.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Implem.Pleasanter/Implem.Pleasanter.csproj b/Implem.Pleasanter/Implem.Pleasanter.csproj
@@ -5,9 +5,9 @@
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
     <Description>Business application platform</Description>
     <AssemblyName>Implem.Pleasanter</AssemblyName>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
 	<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
     <DockerComposeProjectPath>..\docker-compose.dcproj</DockerComposeProjectPath>

diff --git a/Implem.Pleasanter/wwwroot/scripts/markdown.js b/Implem.Pleasanter/wwwroot/scripts/markdown.js
@@ -66,20 +66,17 @@ $p.markup = function (markdownValue, encoded) {
         var regex_i = /(!\[[^\]]+\]\(.+?\))/gi;
         var regex_t = /(\[[^\]]+\]\(.+?\))/gi;
         var regex = /(\b(https?|notes|ftp):\/\/((?!\*|"|<|>|\||&gt;|&lt;).)+"?)/gi;
-        var anchorTargetBlank = $('#AnchorTargetBlank').length === 1
-            ? ' target="_blank"'
-            : '';
+        var anchorTargetBlank = $('#AnchorTargetBlank').length === 1;
         return text
             .replace(regex_i, function ($1) {
-                return '<a href="' + address($1) + '" target="_blank">'
-                    + '<img src="' + address($1) + '?thumbnail=1" alt="' + title($1) + '" /></a>';
+                return getEncordedImgTag(address($1), title($1));
             })
             .replace(regex_t, function ($1) {
-                return '<a href="' + address($1) + '"' + anchorTargetBlank + '>' + title($1) + '</a>';
+                return getEncordedATag(address($1), title($1), anchorTargetBlank);
             })
             .replace(regex, function ($1) {
                 return $1.slice(-1) != '"'
-                    ? '<a href="' + $1 + '"' + anchorTargetBlank + '>' + $1 + '</a>'
+                    ? getEncordedATag(decode($1), decode($1), anchorTargetBlank)
                     : $1;
             });
     }
@@ -89,11 +86,11 @@ $p.markup = function (markdownValue, encoded) {
         var regex = /(\B\\\\((?!:|\*|"|<|>|\||&gt;|&lt;).)+\\((?!:|\*|"|<|>|\||&gt;|&lt;).)+"?)/gi;
         return text
             .replace(regex_t, function ($1) {
-                return '<a href="file://' + address($1) + '">' + title($1) + '</a>';
+                return getEncordedATag('file://' + address($1), title($1));
             })
             .replace(regex, function ($1) {
                 return $1.slice(-1) != '"'
-                    ? '<a href="file://' + $1 + '">' + $1 + '</a>'
+                    ? getEncordedATag('file://' + decode($1), decode($1))
                     : $1;
             });
     }
@@ -102,15 +99,31 @@ $p.markup = function (markdownValue, encoded) {
         return $('<div/>').text(value).html();
     }
 
+    function getEncordedATag(href, text, anchorTargetBlank) {
+        let $tag = $('<a/>').attr('href', href).text(text);
+        if (anchorTargetBlank) $tag.attr('target', '_blank');
+        return $tag.prop('outerHTML');
+    }
+
+    function getEncordedImgTag(url, text) {
+        let $tag = $('<a/>').attr('href', url).attr('target', '_blank')
+            .append($('<img/>').attr('src', url + '?thumbnail=1').attr('alt', text));
+        return $tag.prop('outerHTML');
+    }
+
     function address($1) {
         var m = $1.match(/\]\(.+?\)/gi)[0];
-        return m.substring(2, m.length - 1);
+        return decode(m.substring(2, m.length - 1));
     }
 
     function title($1) {
         var m = $1.match(/\[[^\]]+\]\(/i)[0];
         return m.substring(1, m.length - 2);
     }
+
+    function decode($1) {
+        return $1.replace(/&amp;/g, '&');
+    }
 }
 
 $p.setInputGuide = function (id, text, markup) {

diff --git a/Implem.TestAutomation/implem.TestAutomation.csproj b/Implem.TestAutomation/implem.TestAutomation.csproj
@@ -4,9 +4,9 @@
     <OutputType>Exe</OutputType>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>  
   </PropertyGroup>
 

diff --git a/Rds/Implem.IRds/Implem.IRds.csproj b/Rds/Implem.IRds/Implem.IRds.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Rds/Implem.PostgreSql/Implem.PostgreSql.csproj b/Rds/Implem.PostgreSql/Implem.PostgreSql.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>
 

diff --git a/Rds/Implem.SqlServer/Implem.SqlServer.csproj b/Rds/Implem.SqlServer/Implem.SqlServer.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <Copyright>Copyright © Implem Inc 2014 - 2023</Copyright>
-    <AssemblyVersion>1.3.38.1</AssemblyVersion>
-    <FileVersion>1.3.38.1</FileVersion>
-    <Version>1.3.38.1</Version>
+    <AssemblyVersion>1.3.38.2</AssemblyVersion>
+    <FileVersion>1.3.38.2</FileVersion>
+    <Version>1.3.38.2</Version>
     <Nullable>disable</Nullable>
   </PropertyGroup>