security fixes

seguinleo · Dec 1, 2023 · 011465f · 011465f
1 parent bb0be19
commit 011465f
Show file tree

Hide file tree

Showing 11 changed files with 11 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ When I was looking for a note-taking application, I faced several difficulties:
 ## Features
 All notes are encrypted with ``AES-256-GCM``.
 
-The user can save and edit notes, change color, copy, export and use Markdown or HTML. The user can create tasks lists, tables, links, code blocks, etc. The user can also search for notes by title. Read my [Markdown guide](https://github.com/seguinleo/Bloc-notes/wiki/Markdown).
+The user can save and edit notes, change color, copy, export and use Markdown. The user can create tasks lists, tables, links, code blocks, etc. The user can also search for notes by title. Read my [Markdown guide](https://github.com/seguinleo/Bloc-notes/wiki/Markdown).
 
 The user can also sign in to sync all notes between their devices or browsers in a secure database. The user can also make a note public and share it via a random URL. No email is required, only a username and a strong password.
 

diff --git a/src/assets/js/script.js b/src/assets/js/script.js
@@ -577,7 +577,7 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
   const couleurSpan = document.querySelector('.couleurs span.selectionne');
   const couleur = couleurSpan.classList[0];
   const title = titleNote.value.trim();
-  const content = contentNote.value.trim();
+  const content = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
   const hidden = document.querySelector('#checkHidden').checked;
 
   if (!title || title.length > 30 || content.length > 5000) return;

diff --git a/src/assets/js/scriptConnect.js b/src/assets/js/scriptConnect.js
@@ -604,7 +604,7 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
   try {
     const idNote = document.querySelector('#idNoteInput').value;
     const titreBrut = titleNote.value.trim();
-    const contentBrut = contentNote.value.trim();
+    const contentBrut = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
     if (!titreBrut || titreBrut.length > 30 || contentBrut.length > 5000) return;
     const titre = encodeURIComponent(titreBrut);
     const content = encodeURIComponent(contentBrut);

diff --git a/src/assets/js/showdown.min.js b/src/assets/js/showdown.min.js
diff --git a/src/de/index.php b/src/de/index.php
@@ -34,6 +34,7 @@
     <meta name="theme-color" content="#171717" class="themecolor">
     <meta name="apple-mobile-web-app-capable" content="yes">
     <meta name="apple-mobile-web-app-status-bar-style" content="#171717" class="themecolor">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'none'; child-src 'none'; connect-src 'self'; frame-ancestors 'none'; frame-src 'none'; font-src 'self' https://cdnjs.cloudflare.com/; form-action 'self'; img-src http:; manifest-src 'self'; media-src 'none'; object-src 'none'; script-src 'self'; script-src-attr 'none'; script-src-elem 'self'; style-src 'self' https://cdnjs.cloudflare.com/; worker-src 'self'">
     <link rel="apple-touch-icon" href="../assets/icons/apple-touch-icon.png">
     <link rel="shortcut icon" href="../favicon.ico" type="image/x-icon">
     <link rel="stylesheet" href="../assets/css/style.css">

diff --git a/src/de/script.js b/src/de/script.js
@@ -577,7 +577,7 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
   const couleurSpan = document.querySelector('.couleurs span.selectionne');
   const couleur = couleurSpan.classList[0];
   const title = titleNote.value.trim();
-  const content = contentNote.value.trim();
+  const content = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
   const hidden = document.querySelector('#checkHidden').checked;
 
   if (!title || title.length > 30 || content.length > 5000) return;

diff --git a/src/de/scriptConnect.js b/src/de/scriptConnect.js
@@ -604,7 +604,7 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
   try {
     const idNote = document.querySelector('#idNoteInput').value;
     const titreBrut = titleNote.value.trim();
-    const contentBrut = contentNote.value.trim();
+    const contentBrut = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
     if (!titreBrut || titreBrut.length > 30 || contentBrut.length > 5000) return;
     const titre = encodeURIComponent(titreBrut);
     const content = encodeURIComponent(contentBrut);

diff --git a/src/en/index.php b/src/en/index.php
@@ -34,6 +34,7 @@
     <meta name="theme-color" content="#171717" class="themecolor">
     <meta name="apple-mobile-web-app-capable" content="yes">
     <meta name="apple-mobile-web-app-status-bar-style" content="#171717" class="themecolor">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'none'; child-src 'none'; connect-src 'self'; frame-ancestors 'none'; frame-src 'none'; font-src 'self' https://cdnjs.cloudflare.com/; form-action 'self'; img-src http:; manifest-src 'self'; media-src 'none'; object-src 'none'; script-src 'self'; script-src-attr 'none'; script-src-elem 'self'; style-src 'self' https://cdnjs.cloudflare.com/; worker-src 'self'">
     <link rel="apple-touch-icon" href="../assets/icons/apple-touch-icon.png">
     <link rel="shortcut icon" href="../favicon.ico" type="image/x-icon">
     <link rel="stylesheet" href="../assets/css/style.css">

diff --git a/src/en/script.js b/src/en/script.js
@@ -577,7 +577,7 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
   const couleurSpan = document.querySelector('.couleurs span.selectionne');
   const couleur = couleurSpan.classList[0];
   const title = titleNote.value.trim();
-  const content = contentNote.value.trim();
+  const content = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
   const hidden = document.querySelector('#checkHidden').checked;
 
   if (!title || title.length > 30 || content.length > 5000) return;

diff --git a/src/en/scriptConnect.js b/src/en/scriptConnect.js
@@ -604,7 +604,7 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
   try {
     const idNote = document.querySelector('#idNoteInput').value;
     const titreBrut = titleNote.value.trim();
-    const contentBrut = contentNote.value.trim();
+    const contentBrut = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
     if (!titreBrut || titreBrut.length > 30 || contentBrut.length > 5000) return;
     const titre = encodeURIComponent(titreBrut);
     const content = encodeURIComponent(contentBrut);

diff --git a/src/index.php b/src/index.php
@@ -34,6 +34,7 @@
     <meta name="theme-color" content="#171717" class="themecolor">
     <meta name="apple-mobile-web-app-capable" content="yes">
     <meta name="apple-mobile-web-app-status-bar-style" content="#171717" class="themecolor">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'none'; child-src 'none'; connect-src 'self'; frame-ancestors 'none'; frame-src 'none'; font-src 'self' https://cdnjs.cloudflare.com/; form-action 'self'; img-src http:; manifest-src 'self'; media-src 'none'; object-src 'none'; script-src 'self'; script-src-attr 'none'; script-src-elem 'self'; style-src 'self' https://cdnjs.cloudflare.com/; worker-src 'self'">
     <link rel="apple-touch-icon" href="assets/icons/apple-touch-icon.png">
     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
     <link rel="stylesheet" href="assets/css/style.css">