|
|
@@ -6,30 +6,60 @@ class Xss {
|
|
|
const config = crowi.config;
|
|
|
const isXSSPrevented = config.isXSSPrevented;
|
|
|
const XSSOption = config.XSSOption;
|
|
|
- const tagWhiteList = config.tagWhiteList;
|
|
|
- const attrWhiteList = config.attrWhiteList;
|
|
|
+ let tagWhiteList = config.tagWhiteList;
|
|
|
+ let attrWhiteList = config.attrWhiteList;
|
|
|
|
|
|
+ /**
|
|
|
+ * reference: https://meta.stackexchange.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites
|
|
|
+ */
|
|
|
+ const recommendedTagWhiteList = [
|
|
|
+ 'a', 'b', 'blockquote', 'blockquote', 'code', 'del', 'dd', 'dl', 'dt', 'em',
|
|
|
+ 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'i', 'img', 'kbd', 'li', 'ol', 'p', 'pre',
|
|
|
+ 's', 'sup', 'sub', 'strong', 'strike', 'ul', 'br', 'hr'
|
|
|
+ ];
|
|
|
+ const recommendedAttrWhiteList = ['src', 'width', 'height', 'alt', 'title', 'href'];
|
|
|
let whiteListContent = {};
|
|
|
- tagWhiteList.forEach(tag => {
|
|
|
- whiteListContent[tag] = attrWhiteList;
|
|
|
- });
|
|
|
|
|
|
- // create the option object
|
|
|
+ // default
|
|
|
let option = {
|
|
|
stripIgnoreTag: true,
|
|
|
- stripIgnoreTagBody: false,
|
|
|
+ stripIgnoreTagBody: true,
|
|
|
css: false,
|
|
|
whiteList: whiteListContent,
|
|
|
escapeHtml: (html) => html, // resolve https://github.com/weseek/growi/issues/221
|
|
|
};
|
|
|
|
|
|
- //what is this??????????????????? maybe disable this
|
|
|
- // if (crowi) {
|
|
|
- // // allow all attributes
|
|
|
- // option.onTagAttr = function(tag, name, value, isWhiteAttr) {
|
|
|
- // return `${name}="${value}"`;
|
|
|
- // };
|
|
|
- // }
|
|
|
+ if (isXSSPrevented) {
|
|
|
+ switch (XSSOption) {
|
|
|
+ case 1: // ignore all: use default option
|
|
|
+ break;
|
|
|
+
|
|
|
+ case 2: // recommended
|
|
|
+ recommendedTagWhiteList.forEach(tag => {
|
|
|
+ whiteListContent[tag] = recommendedAttrWhiteList;
|
|
|
+ });
|
|
|
+
|
|
|
+ option['whiteList'] = whiteListContent;
|
|
|
+
|
|
|
+ break;
|
|
|
+
|
|
|
+ case 3: // custom white list
|
|
|
+ tagWhiteList.forEach(tag => {
|
|
|
+ whiteListContent[tag] = attrWhiteList;
|
|
|
+ });
|
|
|
+
|
|
|
+ option['whiteList'] = whiteListContent;
|
|
|
+
|
|
|
+ break;
|
|
|
+
|
|
|
+ default:
|
|
|
+ }
|
|
|
+ }
|
|
|
+ else {
|
|
|
+ option['stripIgnoreTag'] = false;
|
|
|
+ option['stripIgnoreTagBody'] = false;
|
|
|
+ }
|
|
|
+
|
|
|
// create the XSS Filter instance
|
|
|
this.myxss = new xss.FilterXSS(option);
|
|
|
}
|
sou