Escape attribute keys also (#84)

* Escape attribute keys also

* Fix

* Add xss examples

* Clean xss.json

CHANGELOG.rst

@@ -5,7 +5,7 @@ History
 0.18.0 (2024-02-09)
 -------------------
 - html.escape all the attributes
-- Match link domain more precisely.
+- Match link domain more precisely
 - Image height or width can be individually specified
 
 0.16.0 (2023-03-14)

tests/data/html/xss.html

@@ -0,0 +1 @@
+<div data-foo="&quot;/&gt;&lt;script&gt;alert(&#x27;pwned!&#x27;);&lt;/script&gt;" data-&gt;&lt;script&gt;alert(&#x27;pwned!&#x27;);&lt;/script&gt;="foo"><p><a foo="&quot;&gt;alert(&#x27;pwned!&#x27;);&lt;/script&gt;" &gt;&lt;script&gt;alert(&#x27;pwned!&#x27;);&lt;/script&gt;="foo" target="_blank" rel="noopener nofollow">&lt;script&gt;alert(&#x27;pwned!&#x27;);&lt;/script&gt;</a></p></div>

tests/data/json/embed-no_caption.json

@@ -16,5 +16,5 @@
         "html": "<iframe width=\"480\" height=\"270\" src=\"https://www.youtube.com/embed/GJQsT-h0FTU?feature=oembed\" frameborder=\"0\"  allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>"
       }
     }
-   ]
+  ]
 }

tests/data/json/embed.json

@@ -16,5 +16,5 @@
         "html": "<iframe width=\"480\" height=\"270\" src=\"https://www.youtube.com/embed/GJQsT-h0FTU?feature=oembed\" frameborder=\"0\"  allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>"
       }
     }
-   ]
+  ]
 }

tests/data/json/featuredimage.json

@@ -4,10 +4,13 @@
     {
       "type": "featuredimage",
       "attrs": {
-        "src": { "image": "https://placekitten.com/200/301", "fallback": "https://placekitten.com/198/654" },
+        "src": {
+          "image": "https://placekitten.com/200/301",
+          "fallback": "https://placekitten.com/198/654"
+        },
         "alt": "Brown Kitten Image",
         "caption": "Cute Kitty"
       }
     }
-   ]
+  ]
 }

tests/data/json/xss.json

@@ -0,0 +1,29 @@
+{
+  "type": "doc",
+  "attrs": {
+    "data": {
+      "foo": "\"/><script>alert('pwned!');</script>",
+      "><script>alert('pwned!');</script>": "foo"
+    }
+  },
+  "content": [
+    {
+      "type": "paragraph",
+      "content": [
+        {
+          "type": "text",
+          "marks": [
+            {
+              "type": "link",
+              "attrs": {
+                "><script>alert('pwned!');</script>": "foo",
+                "foo": "\">alert('pwned!');</script>"
+              }
+            }
+          ],
+          "text": "<script>alert('pwned!');</script>"
+        }
+      ]
+    }
+  ]
+}

tests/test_transform.py

@@ -43,6 +43,7 @@
     "document-sketch",
     "camel-case",
     "data_attributes",
+    "xss",
 )
 
 

tiptapy/__init__.py

@@ -44,11 +44,21 @@ def _get_abs_template_path(path_str):
 
 
 def escape_values_recursive(node):
-    skip_key = "html"  # Skip escaping html values in embeds
+    # Skip the html key in the node, as it is used to render the html
+    # and should not be escaped. Users should clean the html before
+    # passing it to the renderer.
+    skip_key = "html"
+
     if isinstance(node, dict):
-        for k, v in node.items():
-            if k != skip_key:
-                node[k] = escape_values_recursive(v)
+        items = list(node.items())
+        for k, v in items:
+            esc_k = escape(k)
+            if k != esc_k:
+                del node[k]
+            if esc_k == skip_key:
+                node[esc_k] = v
+            else:
+                node[esc_k] = escape_values_recursive(v)
     elif isinstance(node, list):
         for i, v in enumerate(node):
             node[i] = escape_values_recursive(v)