Safely escape <script> injected code in companion send-token.js (#3101)

Fixes #2974

package-lock.json

@@ -75765,6 +75765,7 @@
         "request": "2.88.2",
         "semver": "6.3.0",
         "serialize-error": "^2.1.0",
+        "serialize-javascript": "^6.0.0",
         "tus-js-client": "2.1.1",
         "uuid": "8.1.0",
         "validator": "^12.1.0",
@@ -75998,6 +75999,14 @@
         "node": ">=0.10.0"
       }
     },
+    "packages/@uppy/companion/node_modules/serialize-javascript": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz",
+      "integrity": "sha512-Qr3TosvguFt8ePWqsvRfrKyQXIiW+nGbYpy8XK24NQHE83caxWt+mIymTT19DGFbNWNLfEwsrkSmN64lVWB9ag==",
+      "dependencies": {
+        "randombytes": "^2.1.0"
+      }
+    },
     "packages/@uppy/companion/node_modules/supports-color": {
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
@@ -89840,6 +89849,7 @@
         "request": "2.88.2",
         "semver": "6.3.0",
         "serialize-error": "^2.1.0",
+        "serialize-javascript": "^6.0.0",
         "supertest": "3.4.2",
         "tus-js-client": "2.1.1",
         "typescript": "~4.3",
@@ -90006,6 +90016,14 @@
           "resolved": "https://registry.npmjs.org/serialize-error/-/serialize-error-2.1.0.tgz",
           "integrity": "sha1-ULZ51WNc34Rme9yOWa9OW4HV9go="
         },
+        "serialize-javascript": {
+          "version": "6.0.0",
+          "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz",
+          "integrity": "sha512-Qr3TosvguFt8ePWqsvRfrKyQXIiW+nGbYpy8XK24NQHE83caxWt+mIymTT19DGFbNWNLfEwsrkSmN64lVWB9ag==",
+          "requires": {
+            "randombytes": "^2.1.0"
+          }
+        },
         "supports-color": {
           "version": "5.5.0",
           "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",

packages/@uppy/companion/package.json

@@ -64,6 +64,7 @@
     "request": "2.88.2",
     "semver": "6.3.0",
     "serialize-error": "^2.1.0",
+    "serialize-javascript": "^6.0.0",
     "tus-js-client": "2.1.1",
     "uuid": "8.1.0",
     "validator": "^12.1.0",

packages/@uppy/companion/src/server/controllers/send-token.js

@@ -1,6 +1,8 @@
 const { URL } = require('url')
+const serialize = require('serialize-javascript')
+
 const tokenService = require('../helpers/jwt')
-const { hasMatch, sanitizeHtml } = require('../helpers/utils')
+const { hasMatch } = require('../helpers/utils')
 const oAuthState = require('../helpers/oauth-state')
 
 /**
@@ -15,7 +17,7 @@ const htmlContent = (token, origin) => {
     <head>
         <meta charset="utf-8" />
         <script>
-          window.opener.postMessage(${sanitizeHtml(JSON.stringify({ token }))}, ${sanitizeHtml(JSON.stringify(origin))})
+          window.opener.postMessage(${serialize({ token })}, ${serialize(origin)})
           window.close()
         </script>
     </head>

packages/@uppy/companion/src/server/helpers/utils.js

@@ -31,15 +31,6 @@ exports.jsonStringify = (data) => {
   })
 }
 
-/**
- * Does a simple html sanitization on the passed value
- *
- * @param {string} text
- */
-exports.sanitizeHtml = (text) => {
-  return text ? text.replace(/<\/?[^>]+(>|$)/g, '') : text
-}
-
 // all paths are assumed to be '/' prepended
 /**
  * Returns a url builder

packages/@uppy/companion/test/__tests__/callback.js

@@ -37,7 +37,7 @@ describe('test authentication callback', () => {
     <head>
         <meta charset="utf-8" />
         <script>
-          window.opener.postMessage({"token":"${token}"}, "http://localhost:3020")
+          window.opener.postMessage({"token":"${token}"}, "http:\\u002F\\u002Flocalhost:3020")
           window.close()
         </script>
     </head>