Merge branch 'master' into imprv/update-stream-to-promise

CHANGES.md

@@ -1,8 +1,13 @@
 # CHANGES
 
-## v4.2.20-RC
+## v4.2.21-RC
+
+* 
+
+## v4.2.20
 
 * Improvement: Error message when the password is too short
+* Improvement: Repeat XSS processing as a countermeasure against nesting 
 * Fix: NoSQL injection of access-token-parser
 * Fix: Checking permission when operating share links
 * Fix: Invalid NaN label is shown when deletedAt of the page is undefined

package.json

@@ -1,6 +1,6 @@
 {
   "name": "growi",
-  "version": "4.2.20-RC",
+  "version": "4.2.21-RC",
   "description": "Team collaboration software using markdown",
   "tags": [
     "wiki",

src/client/js/util/PreProcessor/XssFilter.js

@@ -14,17 +14,7 @@ export default class XssFilter {
 
   process(markdown) {
     if (this.crowi.config.isEnabledXssPrevention) {
-      let count = 0;
-      let tempValue = markdown;
-      let currValue = '';
-      while (true) {
-        count += 1;
-        currValue = this.xss.process(tempValue);
-        if(count > 50) return '--filtered--';
-        if(currValue == tempValue) break;
-        tempValue = currValue;
-      }
-      return currValue;
+      return this.xss.process(markdown);
     }
 
     return markdown;

src/lib/service/xss/index.js

@@ -1,6 +1,9 @@
 const xss = require('xss');
 const commonmarkSpec = require('./commonmark-spec');
 
+
+const REPETITIONS_NUM = 50;
+
 class Xss {
 
   constructor(xssOption) {
@@ -36,7 +39,23 @@ class Xss {
   }
 
   process(document) {
-    return this.myxss.process(document);
+    let count = 0;
+    let currDoc = document;
+    let prevDoc = document;
+
+    do {
+      count += 1;
+      // stop running infinitely
+      if (count > REPETITIONS_NUM) {
+        return '--filtered--';
+      }
+
+      prevDoc = currDoc;
+      currDoc = this.myxss.process(currDoc);
+    }
+    while (currDoc !== prevDoc);
+
+    return currDoc;
   }
 
 }

src/server/util/middlewares.js

@@ -142,16 +142,7 @@ module.exports = (crowi) => {
       });
 
       swig.setFilter('preventXss', (string) => {
-        count = 0;
-        tempValue = string;
-        while (true) {
-          count += 1;
-          currValue = crowi.xss.process(tempValue);
-          if(count > 50) return '--filtered--';
-          if(currValue == tempValue) break;
-          tempValue = currValue;
-        }
-        return currValue;
+        return crowi.xss.process(string);
       });
 
       swig.setFilter('slice', (list, start, end) => {

src/server/views/widget/page_content.html

@@ -46,7 +46,7 @@
   {% include 'page_alerts.html' %}
 
   <div id="display-switcher">
-    <script type="text/template" id="raw-text-original">{{ revision.body.toString() | preventXss | encodeHTML }}</script>
+    <script type="text/template" id="raw-text-original">{{ revision.body.toString() | encodeHTML }}</script>
   </div>
   <div id="page-editor-navbar-bottom-container" class="d-none d-edit-block"></div>
 </div>