fix: escape HTML characters in JSON LD

andreituicu · tripodsan · commit 72b080a70fe4 · 2024-08-12T15:41:34.000+02:00
diff --git a/src/steps/render.js b/src/steps/render.js
@@ -36,10 +36,8 @@ function createElement(name, ...attrs) {
 }
 
 function sanitizeJsonLd(jsonLd) {
-  if (jsonLd.toLowerCase().indexOf('</script>') >= 0) {
-    throw new Error('script tag not allowed');
-  }
-  return JSON.stringify(JSON.parse(jsonLd.trim()));
+  const sanitizedJsonLd = jsonLd.replaceAll('<', '&#x3c;').replaceAll('>', '&#x3e;');
+  return JSON.stringify(JSON.parse(sanitizedJsonLd.trim()));
 }
 
 /**
diff --git a/test/fixtures/content/page-metadata-jsonld-xss.html b/test/fixtures/content/page-metadata-jsonld-xss.html
@@ -8,7 +8,7 @@
     <meta name="twitter:card" content="summary_large_image">
     <meta name="twitter:title" content="Home | Helix Project Boilerplate">
     <meta name="twitter:image" content="https://helix-pages.com/default-meta-image.png?width=1200&#x26;format=pjpg&#x26;optimize=medium">
-    <script type="application/ld+json" data-error="error in json-ld: script tag not allowed"></script>
+    <script type="application/ld+json">{"foo:":"&#x3c;/script&#x3e;alert('hello, world.')"}</script>
     <link id="favicon" rel="icon" type="image/svg+xml" href="/icons/spark.svg">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <script src="/scripts.js" type="module"></script>

Original file line number	Diff line number	Diff line change
`@@ -36,10 +36,8 @@ function createElement(name, ...attrs) {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`function sanitizeJsonLd(jsonLd) {`
`39`		`- if (jsonLd.toLowerCase().indexOf('</script>') >= 0) {`
`40`		`- throw new Error('script tag not allowed');`
`41`		`- }`
`42`		`- return JSON.stringify(JSON.parse(jsonLd.trim()));`
	`39`	`+ const sanitizedJsonLd = jsonLd.replaceAll('<', '<').replaceAll('>', '>');`
	`40`	`+ return JSON.stringify(JSON.parse(sanitizedJsonLd.trim()));`
`43`	`41`	`}`
`44`	`42`
`45`	`43`	`/**`