Skip to content

fix: replace only fixed-size strings in rendered HTML

Tomas Vik (OOO back on 2025-01-02) requested to merge 437-markdown-regexp into main

#437 (closed) is not exploitable and so the MR will follow the standard release process rather than the security process.

The fix is concerning a "too eager" expression for replacing attributes in the issue HTML:

<img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="image" class="lazy gfm" data-src="https://gitlab.com/viktomas/test-project/uploads/113db190052d399419a872fa37e36382/image.png" data-canonical-src="/uploads/113db190052d399419a872fa37e36382/image.png">

We need to remove the src attribute and change the data-src to src otherwise, the lazy-loaded images won't work.

The original expression .replace(/ src=".*" alt/gim, ' alt') could have trigger replacement in an incorrect scenario: <div color=" src=" title="" alt=" someattr='somevalue'"></div>

The fix is not perfect and ideally, we would introduce a module that would parse the HTML and transform it. But for now this will get us close enough.

The original expression was introduced in !25 (merged)

Related to #437 (closed)

Merge request reports

Loading