Merge pull request #3873 from stypr/master

Security: Improving XSS filter

src/client/js/util/PreProcessor/XssFilter.js

@@ -14,7 +14,17 @@ export default class XssFilter {
 
   process(markdown) {
     if (this.crowi.config.isEnabledXssPrevention) {
-      return this.xss.process(markdown);
+      let count = 0;
+      let tempValue = markdown;
+      let currValue = '';
+      while (true) {
+        count += 1;
+        currValue = this.xss.process(tempValue);
+        if(count > 50) return '--filtered--';
+        if(currValue == tempValue) break;
+        tempValue = currValue;
+      }
+      return currValue;
     }
 
     return markdown;

src/server/util/middlewares.js

@@ -142,7 +142,16 @@ module.exports = (crowi) => {
       });
 
       swig.setFilter('preventXss', (string) => {
-        return crowi.xss.process(string);
+        count = 0;
+        tempValue = string;
+        while (true) {
+          count += 1;
+          currValue = crowi.xss.process(tempValue);
+          if(count > 50) return '--filtered--';
+          if(currValue == tempValue) break;
+          tempValue = currValue;
+        }
+        return currValue;
       });
 
       swig.setFilter('slice', (list, start, end) => {

src/server/views/widget/page_content.html

@@ -46,7 +46,7 @@
   {% include 'page_alerts.html' %}
 
   <div id="display-switcher">
-    <script type="text/template" id="raw-text-original">{{ revision.body.toString() | encodeHTML }}</script>
+    <script type="text/template" id="raw-text-original">{{ revision.body.toString() | preventXss | encodeHTML }}</script>
   </div>
   <div id="page-editor-navbar-bottom-container" class="d-none d-edit-block"></div>
 </div>