Acasă Explorează Ajutor
Autentificare
wiki
/
weseek__growi
oglindă de https://github.com/weseek/growi
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

xss default white list

sou 7 ani în urmă
părinte
3b408be852
comite
16018f41ad
2 a modificat fișierele cu 47 adăugiri și 19 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 44 14
      lib/util/xss.js
  2. 3 5
      lib/views/admin/markdown.html

+ 44 - 14
lib/util/xss.js
Vizualizați fișierul 

@@ -6,30 +6,60 @@ class Xss {
 
     const config = crowi.config;
 
     const isXSSPrevented = config.isXSSPrevented;
 
     const XSSOption = config.XSSOption;
 
-    const tagWhiteList = config.tagWhiteList;
 
-    const attrWhiteList = config.attrWhiteList;
 
+    let tagWhiteList = config.tagWhiteList;
 
+    let attrWhiteList = config.attrWhiteList;
 
 
+    /**
 
+     * reference: https://meta.stackexchange.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites
 
+     */
 
+    const recommendedTagWhiteList = [
 
+      'a', 'b', 'blockquote', 'blockquote', 'code', 'del', 'dd', 'dl', 'dt', 'em',
 
+      'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'i', 'img', 'kbd', 'li', 'ol', 'p', 'pre',
 
+      's', 'sup', 'sub', 'strong', 'strike', 'ul', 'br', 'hr'
 
+    ];
 
+    const recommendedAttrWhiteList = ['src', 'width', 'height', 'alt', 'title', 'href'];
 
     let whiteListContent = {};
 
-    tagWhiteList.forEach(tag => {
 
-      whiteListContent[tag] = attrWhiteList;
 
-    });
 
 
-    // create the option object
 
+    // default
 
     let option = {
 
       stripIgnoreTag: true,
 
-      stripIgnoreTagBody: false,
 
+      stripIgnoreTagBody: true,
 
       css: false,
 
       whiteList: whiteListContent,
 
       escapeHtml: (html) => html,   // resolve https://github.com/weseek/growi/issues/221
 
     };
 
 
-    //what is this??????????????????? maybe disable this
 
-    // if (crowi) {
 
-    //   // allow all attributes
 
-    //   option.onTagAttr = function(tag, name, value, isWhiteAttr) {
 
-    //     return `${name}="${value}"`;
 
-    //   };
 
-    // }
 
+    if (isXSSPrevented) {
 
+      switch (XSSOption) {
 
+        case 1: // ignore all: use default option
 
+          break;
 
+
 
+        case 2: // recommended
 
+          recommendedTagWhiteList.forEach(tag => {
 
+            whiteListContent[tag] = recommendedAttrWhiteList;
 
+          });
 
+
 
+          option['whiteList'] = whiteListContent;
 
+
 
+          break;
 
+
 
+        case 3: // custom white list
 
+          tagWhiteList.forEach(tag => {
 
+            whiteListContent[tag] = attrWhiteList;
 
+          });
 
+
 
+          option['whiteList'] = whiteListContent;
 
+
 
+          break;
 
+
 
+        default:
 
+      }
 
+    }
 
+    else {
 
+      option['stripIgnoreTag'] = false;
 
+      option['stripIgnoreTagBody'] = false;
 
+    }
 
+
 
     // create the XSS Filter instance
 
     this.myxss = new xss.FilterXSS(option);
 
   }

+ 3 - 5
lib/views/admin/markdown.html
Vizualizați fișierul 

@@ -115,13 +115,11 @@
 
 
         <div class="form-group">
 
           <div id="selectXSS" class="input">
 
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="1" checked>
 
-              {{ t('markdown_setting.Allow all') }}<br>
 
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="2">
 
+            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="1">
 
               {{ t('markdown_setting.Ignore all') }}<br>
 
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="3">
 
+            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="2" checked>
 
               {{ t('markdown_setting.Recommended setting') }}<br>
 
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="4">
 
+            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="3">
 
               {{ t('markdown_setting.Whitelist setting') }}<br>
 
         </div>