passing data

lib/models/config.js

@@ -101,7 +101,10 @@ module.exports = function(crowi) {
 
   function getDefaultMarkdownConfigs() {
     return {
-      'markdown:isEnabledPreventXSS': false,
+      'markdown:XSS:isPrevented': false,
+      'markdown:XSS:option': 2,
+      'markdown:XSS:tagWhiteList': [],
+      'markdown:XSS:attrWhiteList': [],
       'markdown:isEnabledLinebreaks': false,
       'markdown:isEnabledLinebreaksInComments': true,
     };
@@ -335,8 +338,41 @@ module.exports = function(crowi) {
     return config.markdown[key];
   };
 
-  configSchema.statics.isEnabledPreventXSS = function(config) {
-    const key = 'markdown:isEnabledPreventXSS';
+  configSchema.statics.isXSSPrevented = function(config) {
+    const key = 'markdown:XSS:isPrevented';
+
+    // return default value if undefined
+    if (undefined === config.markdown || undefined === config.markdown[key]) {
+      return getDefaultMarkdownConfigs[key];
+    }
+
+    return config.markdown[key];
+  };
+
+  configSchema.statics.XSSOption = function(config) {
+    const key = 'markdown:XSS:option';
+
+    // return default value if undefined
+    if (undefined === config.markdown || undefined === config.markdown[key]) {
+      return getDefaultMarkdownConfigs[key];
+    }
+
+    return config.markdown[key];
+  };
+
+  configSchema.statics.tagWhiteList = function(config) {
+    const key = 'markdown:XSS:tagWhiteList';
+
+    // return default value if undefined
+    if (undefined === config.markdown || undefined === config.markdown[key]) {
+      return getDefaultMarkdownConfigs[key];
+    }
+
+    return config.markdown[key];
+  };
+
+  configSchema.statics.attrWhiteList = function(config) {
+    const key = 'markdown:XSS:attrWhiteList';
 
     // return default value if undefined
     if (undefined === config.markdown || undefined === config.markdown[key]) {
@@ -486,6 +522,10 @@ module.exports = function(crowi) {
       layoutType: Config.layoutType(config),
       isEnabledLinebreaks: Config.isEnabledLinebreaks(config),
       isEnabledLinebreaksInComments: Config.isEnabledLinebreaksInComments(config),
+      isXSSPrevented: Config.isXSSPrevented(config),
+      XSSOption: Config.XSSOption(config),
+      tagWhiteList: Config.attrWhiteList(config),
+      attrWhiteList: Config.tagWhiteList(config),
       highlightJsStyleBorder: Config.highlightJsStyleBorder(config),
       isSavedStatesOfTabChanges: Config.isSavedStatesOfTabChanges(config),
       env: {

lib/routes/admin.js

@@ -132,7 +132,7 @@ module.exports = function(crowi, app) {
 
   // app.post('/admin/markdown/XSSSetting' , admin.markdown.XSSSetting);
   actions.markdown.XSSSetting = function(req, res) {
-    var XSSSetting = req.form.markdownSetting;
+    let XSSSetting = req.form.markdownSetting;
 
     XSSSetting['markdown:XSS:tagWhiteList'] = stringToArray(XSSSetting['markdown:XSS:tagWhiteList']);
     XSSSetting['markdown:XSS:attrWhiteList'] = stringToArray(XSSSetting['markdown:XSS:attrWhiteList']);

lib/util/swigFunctions.js

@@ -124,6 +124,26 @@ module.exports = function(crowi, app, req, locals) {
     return Config.isEnabledLinebreaksInComments(config);
   };
 
+  locals.isXSSPrevented = function() {
+    const config = crowi.getConfig();
+    return Config.isXSSPrevented(config);
+  };
+
+  locals.XSSOption = function() {
+    const config = crowi.getConfig();
+    return Config.XSSOption(config);
+  };
+
+  locals.tagWhiteList = function() {
+    const config = crowi.getConfig();
+    return Config.tagWhiteList(config);
+  };
+
+  locals.attrWhiteList = function() {
+    const config = crowi.getConfig();
+    return Config.attrWhiteList(config);
+  };
+
   locals.customCss = function() {
     return Config.customCss();
   };

lib/views/admin/markdown.html

@@ -100,11 +100,11 @@
           </label>
           <div class="col-xs-5">
             <div class="btn-group btn-toggle" data-toggle="buttons">
-              <label class="btn btn-default btn-rounded btn-outline {% if markdownSetting['markdown:isEnabledPreventXSS'] %}active{% endif %}" data-active-class="primary">
+              <label class="btn btn-default btn-rounded btn-outline {% if markdownSetting['markdown:XSS:isPrevented'] %}active{% endif %}" data-active-class="primary">
                 <input name="markdownSetting[markdown:XSS:isPrevented]" value="true" type="radio"
                     {% if true === markdownSetting['markdown:XSS:isPrevented'] %}checked{% endif %}> ON
               </label>
-              <label class="btn btn-default btn-rounded btn-outline {% if !markdownSetting['markdown:isEnabledPreventXSS'] %}active{% endif %}" data-active-class="default">
+              <label class="btn btn-default btn-rounded btn-outline {% if !markdownSetting['markdown:XSS:isPrevented'] %}active{% endif %}" data-active-class="default">
                 <input name="markdownSetting[markdown:XSS:isPrevented]" value="false" type="radio"
                     {% if !markdownSetting['markdown:XSS:isPrevented'] %}checked{% endif %}> OFF
               </label>

resource/js/util/PreProcessor/XssFilter.js

@@ -3,8 +3,7 @@ import Xss from '../../../../lib/util/xss';
 export default class XssFilter {
 
   constructor(crowi) {
-    // TODO read options
-    this.xss = new Xss(true);
+    this.xss = new Xss(crowi);
   }
 
   process(markdown) {