xss case

lib/form/admin/markdownXSS.js

@@ -4,8 +4,8 @@ var form = require('express-form')
   , field = form.field;
 
 module.exports = form(
-  field('markdownSetting[markdown:XSS:isPrevented]').trim().toBooleanStrict(),
-  field('markdownSetting[markdown:XSS:option]').trim().toInt(),
-  field('markdownSetting[markdown:XSS:tagWhiteList]').trim(),
-  field('markdownSetting[markdown:XSS:attrWhiteList]').trim()
+  field('markdownSetting[markdown:xss:isPrevented]').trim().toBooleanStrict(),
+  field('markdownSetting[markdown:xss:option]').trim().toInt(),
+  field('markdownSetting[markdown:xss:tagWhiteList]').trim(),
+  field('markdownSetting[markdown:xss:attrWhiteList]').trim()
 );

lib/models/config.js

@@ -2,7 +2,7 @@ module.exports = function(crowi) {
   var mongoose = require('mongoose')
     , debug = require('debug')('growi:models:config')
     , uglifycss = require('uglifycss')
-    , RecommendedXSSWhiteList = require('../util/RecommendedXSSWhiteList')
+    , RecommendedXssWhiteList = require('../util/RecommendedXssWhiteList')
     , configSchema
     , Config
 
@@ -102,12 +102,12 @@ module.exports = function(crowi) {
 
   function getDefaultMarkdownConfigs() {
     return {
-      'markdown:XSS:isPrevented': false,
-      'markdown:XSS:option': 2,
-      'markdown:XSS:tagWhiteList': [],
-      'markdown:XSS:attrWhiteList': [],
+      'markdown:xss:isPrevented': false,
+      'markdown:xss:option': 2,
+      'markdown:xss:tagWhiteList': [],
+      'markdown:xss:attrWhiteList': [],
       'markdown:isEnabledLinebreaks': false,
-      'markdown:isEnabledPreventXSS': false,
+      'markdown:isEnabledPreventXss': false,
       'markdown:isEnabledLinebreaksInComments': true,
     };
   }
@@ -340,8 +340,8 @@ module.exports = function(crowi) {
     return config.markdown[key];
   };
 
-  configSchema.statics.isXSSPrevented = function(config) {
-    const key = 'markdown:XSS:isPrevented';
+  configSchema.statics.isXssPrevented = function(config) {
+    const key = 'markdown:xss:isPrevented';
 
     // return default value if undefined
     if (undefined === config.markdown || undefined === config.markdown[key]) {
@@ -351,8 +351,8 @@ module.exports = function(crowi) {
     return config.markdown[key];
   };
 
-  configSchema.statics.XSSOption = function(config) {
-    const key = 'markdown:XSS:option';
+  configSchema.statics.xssOption = function(config) {
+    const key = 'markdown:xss:option';
 
     // return default value if undefined
     if (undefined === config.markdown || undefined === config.markdown[key]) {
@@ -363,20 +363,20 @@ module.exports = function(crowi) {
   };
 
   configSchema.statics.tagWhiteList = function(config) {
-    const key = 'markdown:XSS:tagWhiteList';
+    const key = 'markdown:xss:tagWhiteList';
 
     // return default value if undefined
     if (undefined === config.markdown || undefined === config.markdown[key]) {
       return getDefaultMarkdownConfigs[key];
     }
 
-    if (this.isXSSPrevented(config)) {
-      switch (this.XSSOption(config)) {
+    if (this.isXssPrevented(config)) {
+      switch (this.xssOption(config)) {
         case 1: // ignore all: use default option
           return [];
 
         case 2: // recommended
-          return RecommendedXSSWhiteList.tags;
+          return RecommendedXssWhiteList.tags;
 
         case 3: // custom white list
           return config.markdown[key];
@@ -392,20 +392,20 @@ module.exports = function(crowi) {
   };
 
   configSchema.statics.attrWhiteList = function(config) {
-    const key = 'markdown:XSS:attrWhiteList';
+    const key = 'markdown:xss:attrWhiteList';
 
     // return default value if undefined
     if (undefined === config.markdown || undefined === config.markdown[key]) {
       return getDefaultMarkdownConfigs[key];
     }
 
-    if (this.isXSSPrevented(config)) {
-      switch (this.XSSOption(config)) {
+    if (this.isXssPrevented(config)) {
+      switch (this.xssOption(config)) {
         case 1: // ignore all: use default option
           return [];
 
         case 2: // recommended
-          return RecommendedXSSWhiteList.attrs;
+          return RecommendedXssWhiteList.attrs;
 
         case 3: // custom white list
           return config.markdown[key];
@@ -559,8 +559,8 @@ module.exports = function(crowi) {
       layoutType: Config.layoutType(config),
       isEnabledLinebreaks: Config.isEnabledLinebreaks(config),
       isEnabledLinebreaksInComments: Config.isEnabledLinebreaksInComments(config),
-      isXSSPrevented: Config.isXSSPrevented(config),
-      XSSOption: Config.XSSOption(config),
+      isXssPrevented: Config.isXssPrevented(config),
+      xssOption: Config.xssOption(config),
       tagWhiteList: Config.tagWhiteList(config),
       attrWhiteList: Config.attrWhiteList(config),
       highlightJsStyleBorder: Config.highlightJsStyleBorder(config),

lib/routes/admin.js

@@ -130,18 +130,18 @@ module.exports = function(crowi, app) {
     }
   };
 
-  // app.post('/admin/markdown/XSSSetting' , admin.markdown.XSSSetting);
-  actions.markdown.XSSSetting = function(req, res) {
-    let XSSSetting = req.form.markdownSetting;
+  // app.post('/admin/markdown/xss-setting' , admin.markdown.xssSetting);
+  actions.markdown.xssSetting = function(req, res) {
+    let xssSetting = req.form.markdownSetting;
 
-    XSSSetting['markdown:XSS:tagWhiteList'] = stringToArray(XSSSetting['markdown:XSS:tagWhiteList']);
-    XSSSetting['markdown:XSS:attrWhiteList'] = stringToArray(XSSSetting['markdown:XSS:attrWhiteList']);
+    xssSetting['markdown:xss:tagWhiteList'] = stringToArray(xssSetting['markdown:xss:tagWhiteList']);
+    xssSetting['markdown:xss:attrWhiteList'] = stringToArray(xssSetting['markdown:xss:attrWhiteList']);
 
-    req.session.markdownSetting = XSSSetting;
+    req.session.markdownSetting = xssSetting;
     if (req.form.isValid) {
-      Config.updateNamespaceByArray('markdown', XSSSetting, function(err, config) {
+      Config.updateNamespaceByArray('markdown', xssSetting, function(err, config) {
         Config.updateConfigCache('markdown', config);
-        req.session.XSSSetting = null;
+        req.session.xssSetting = null;
         req.flash('successMessage', ['Successfully updated!']);
         return res.redirect('/admin/markdown');
       });

lib/routes/index.js

@@ -78,7 +78,7 @@ module.exports = function(crowi, app) {
   // markdown admin
   app.get('/admin/markdown'                   , loginRequired(crowi, app) , middleware.adminRequired() , admin.markdown.index);
   app.post('/admin/markdown/lineBreaksSetting', loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.markdown, admin.markdown.lineBreaksSetting); //change form name
-  app.post('/admin/markdown/XSSSetting'       , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.markdownXSS, admin.markdown.XSSSetting);
+  app.post('/admin/markdown/xss-setting'       , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.markdownXSS, admin.markdown.xssSetting);
 
   // markdown admin
   app.get('/admin/customize'                , loginRequired(crowi, app) , middleware.adminRequired() , admin.customize.index);

lib/util/xss.js

@@ -4,7 +4,7 @@ class Xss {
     const xss = require('xss');
 
     const config = crowi.config;
-    const isXSSPrevented = config.isXSSPrevented;
+    const isXssPrevented = config.isXssPrevented;
     const tagWhiteList = config.tagWhiteList;
     const attrWhiteList = config.attrWhiteList;
 
@@ -19,7 +19,7 @@ class Xss {
       escapeHtml: (html) => html,   // resolve https://github.com/weseek/growi/issues/221
     };
 
-    if (isXSSPrevented) {
+    if (isXssPrevented) {
       tagWhiteList.forEach(tag => {
         whiteListContent[tag] = attrWhiteList;
       });

lib/views/admin/markdown.html

@@ -90,7 +90,7 @@
       </fieldset>
       </form>
 
-      <form action="/admin/markdown/XSSSetting" method="post" class="form-horizontal" id="markdownSettingForm" role="form">
+      <form action="/admin/markdown/xss-setting" method="post" class="form-horizontal" id="markdownSettingForm" role="form">
       <fieldset>
         <legend>{{ t('markdown_setting.XSS_setting') }}</legend>
         <p class="well">{{ t("markdown_setting.XSS_setting_desc") }}</p>
@@ -100,13 +100,13 @@
           </label>
           <div class="col-xs-5">
             <div class="btn-group btn-toggle" data-toggle="buttons">
-              <label class="btn btn-default btn-rounded btn-outline {% if markdownSetting['markdown:XSS:isPrevented'] %}active{% endif %}" data-active-class="primary">
-                <input name="markdownSetting[markdown:XSS:isPrevented]" value="true" type="radio"
-                    {% if true === markdownSetting['markdown:XSS:isPrevented'] %}checked{% endif %}> ON
+              <label class="btn btn-default btn-rounded btn-outline {% if markdownSetting['markdown:xss:isPrevented'] %}active{% endif %}" data-active-class="primary">
+                <input name="markdownSetting[markdown:xss:isPrevented]" value="true" type="radio"
+                    {% if true === markdownSetting['markdown:xss:isPrevented'] %}checked{% endif %}> ON
               </label>
-              <label class="btn btn-default btn-rounded btn-outline {% if !markdownSetting['markdown:XSS:isPrevented'] %}active{% endif %}" data-active-class="default">
-                <input name="markdownSetting[markdown:XSS:isPrevented]" value="false" type="radio"
-                    {% if !markdownSetting['markdown:XSS:isPrevented'] %}checked{% endif %}> OFF
+              <label class="btn btn-default btn-rounded btn-outline {% if !markdownSetting['markdown:xss:isPrevented'] %}active{% endif %}" data-active-class="default">
+                <input name="markdownSetting[markdown:xss:isPrevented]" value="false" type="radio"
+                    {% if !markdownSetting['markdown:xss:isPrevented'] %}checked{% endif %}> OFF
               </label>
             </div>
             <p class="help-block">{{ t("markdown_setting.Prevent XSS(Cross Site Scripting)desc") }}<br>{{ t("markdown_setting.Prevent XSS(Cross Site Scripting)desc2") }}</p>
@@ -115,11 +115,11 @@
 
         <div class="form-group">
           <div id="selectXSS" class="input">
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="1">
+            <input type="radio" name="markdownSetting[markdown:xss:option]" value="1">
               {{ t('markdown_setting.Ignore all') }}<br>
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="2" checked>
+            <input type="radio" name="markdownSetting[markdown:xss:option]" value="2" checked>
               {{ t('markdown_setting.Recommended setting') }}<br>
-            <input type="radio" name="markdownSetting[markdown:XSS:option]" value="3">
+            <input type="radio" name="markdownSetting[markdown:xss:option]" value="3">
               {{ t('markdown_setting.Whitelist setting') }}<br>
         </div>
 
@@ -128,11 +128,11 @@
             <p class="help-block">{{ t('markdown_setting.Add white list desc') }}</p>
            <div class="inputbox">
              {{ t('markdown_setting.tag') }}
-             <input type="text" name="markdownSetting[markdown:XSS:tagWhiteList]" size="70" value="" placeholder="span, iframe, input">
+             <input type="text" name="markdownSetting[markdown:xss:tagWhiteList]" size="70" value="" placeholder="span, iframe, input">
            </div>
            <div class="inputbox">
              {{ t('markdown_setting.tag attribute') }}
-             <input type="text" name="markdownSetting[markdown:XSS:attrWhiteList]" size="70" value="" placeholder="class, type, placeholder, name, required">
+             <input type="text" name="markdownSetting[markdown:xss:attrWhiteList]" size="70" value="" placeholder="class, type, placeholder, name, required">
            </div>
          </div>
         </div>
@@ -147,10 +147,6 @@
       </fieldset>
       </form>
 
-
-
-
-
     </div>
   </div>
 
@@ -159,6 +155,3 @@
 
 {% block content_footer %}
 {% endblock content_footer %}
-
-
-