Strona główna Odkrywaj Pomoc
Zaloguj się
wiki
/
weseek__growi
kopia lustrzana https://github.com/weseek/growi
2
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

fix: #215 Imprv: Prevent XSS (Cross Site Scripting) - Part 1

Yuki Takei 8 lat temu
rodzic
c4bfdabc42
commit
064d014318
3 zmienionych plików z 29 dodań i 1 usunięć
Zunifikowany widok Pokaż statystyki zmian
  1. 16 0
      lib/models/revision.js
  2. 2 1
      package.json
  3. 11 0
      yarn.lock

+ 16 - 0
lib/models/revision.js
Wyświetl plik 

@@ -1,6 +1,7 @@
 
 module.exports = function(crowi) {
 
 module.exports = function(crowi) {
 
   var debug = require('debug')('crowi:models:revision')
 
   var debug = require('debug')('crowi:models:revision')
 
     , mongoose = require('mongoose')
 
     , mongoose = require('mongoose')
 
+    , xss = require('xss')
 
     , ObjectId = mongoose.Schema.Types.ObjectId
 
     , ObjectId = mongoose.Schema.Types.ObjectId
 
     , revisionSchema;
 
     , revisionSchema;
 
 
 
@@ -12,6 +13,21 @@ module.exports = function(crowi) {
 
     createdAt: { type: Date, default: Date.now }
 
     createdAt: { type: Date, default: Date.now }
 
   });
 
   });
 
 
 
+  // create a XSS Filter instance
 
+  const myxss = new xss.FilterXSS({
 
+    stripIgnoreTag: true,
 
+    css: false,
 
+    // allow all attributes
 
+    onTagAttr: function (tag, name, value, isWhiteAttr) {
 
+      return `${name}="${value}"`;
 
+    }
 
+  });
 
+  // prevent XSS when pre save
 
+  revisionSchema.pre('save', function(next) {
 
+    this.body = myxss.process(this.body);
 
+    next();
 
+  });
 
+
 
   revisionSchema.statics.findLatestRevision = function(path, cb) {
 
   revisionSchema.statics.findLatestRevision = function(path, cb) {
 
     this.find({path: path})
 
     this.find({path: path})
 
       .sort({createdAt: -1})
 
       .sort({createdAt: -1})

+ 2 - 1
package.json
Wyświetl plik 

@@ -125,7 +125,8 @@
 
     "uglifycss": "^0.0.27",
 
     "uglifycss": "^0.0.27",
 
     "webpack": "^3.1.0",
 
     "webpack": "^3.1.0",
 
     "webpack-bundle-analyzer": "^2.9.0",
 
     "webpack-bundle-analyzer": "^2.9.0",
 
-    "webpack-merge": "~4.1.0"
 
+    "webpack-merge": "~4.1.0",
 
+    "xss": "^0.3.5"
 
   },
 
   },
 
   "devDependencies": {
 
   "devDependencies": {
 
     "chai": "^4.1.0",
 
     "chai": "^4.1.0",

+ 11 - 0
yarn.lock
Wyświetl plik 

@@ -1705,6 +1705,10 @@ cssesc@^0.1.0:
 
   version "0.1.0"

   version "0.1.0"

   resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-0.1.0.tgz#c814903e45623371a0477b40109aaafbeeaddbb4"

   resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-0.1.0.tgz#c814903e45623371a0477b40109aaafbeeaddbb4"

 

 

+cssfilter@0.0.10:

+  version "0.0.10"

+  resolved "https://registry.yarnpkg.com/cssfilter/-/cssfilter-0.0.10.tgz#c6d2672632a2e5c83e013e6864a42ce8defd20ae"

+

 "cssnano@>=2.6.1 <4":

 "cssnano@>=2.6.1 <4":

   version "3.10.0"

   version "3.10.0"

   resolved "https://registry.yarnpkg.com/cssnano/-/cssnano-3.10.0.tgz#4f38f6cea2b9b17fa01490f23f1dc68ea65c1c38"

   resolved "https://registry.yarnpkg.com/cssnano/-/cssnano-3.10.0.tgz#4f38f6cea2b9b17fa01490f23f1dc68ea65c1c38"

@@ -6358,6 +6362,13 @@ xmlhttprequest-ssl@~1.5.4:
 
   version "1.5.4"

   version "1.5.4"

   resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.4.tgz#04f560915724b389088715cc0ed7813e9677bf57"

   resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.4.tgz#04f560915724b389088715cc0ed7813e9677bf57"

 

 

+xss@^0.3.5:

+  version "0.3.5"

+  resolved "https://registry.yarnpkg.com/xss/-/xss-0.3.5.tgz#cc1d6400a010809e79e5401c3a523fef8792b44c"

+  dependencies:

+    commander "^2.9.0"

+    cssfilter "0.0.10"

+

 xtend@^4.0.0, xtend@~4.0.1:

 xtend@^4.0.0, xtend@~4.0.1:

   version "4.0.1"

   version "4.0.1"

   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"

   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"