fix: replace only fixed-size strings in rendered HTML
#437 (closed) is not exploitable and so the MR will follow the standard release process rather than the security process.
The fix is concerning a "too eager" expression for replacing attributes in the issue HTML:
<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="image" class="lazy gfm" data-src="https://gitlab.com/viktomas/test-project/uploads/113db190052d399419a872fa37e36382/image.png" data-canonical-src="/uploads/113db190052d399419a872fa37e36382/image.png">
We need to remove the src
attribute and change the data-src
to src
otherwise, the lazy-loaded images won't work.
The original expression .replace(/ src=".*" alt/gim, ' alt')
could have trigger replacement in an incorrect scenario: <div color=" src=" title="" alt=" someattr='somevalue'"></div>
The fix is not perfect and ideally, we would introduce a module that would parse the HTML and transform it. But for now this will get us close enough.
The original expression was introduced in !25 (merged)
Related to #437 (closed)