handled xss=off

lib/util/xssOption.js

@@ -2,20 +2,12 @@ class XssOption {
 
   constructor(config) {
     const recommendedXssWhiteList = require('../util/recommendedXssWhiteList');
+    const initializedConfig = (config != null) ? config : {};
 
-    if (config) {
-      this.isEnabledXssPrevention = config.isEnabledXssPrevention || true;
-      this.tagWhiteList = config.tagWhiteList || recommendedXssWhiteList.tags;
-      this.attrWhiteList = config.attrWhiteList || recommendedXssWhiteList.attrs;
-    }
-    else {
-      this.isEnabledXssPrevention = true;
-      this.tagWhiteList = recommendedXssWhiteList.tags;
-      this.attrWhiteList = recommendedXssWhiteList.attrs;
-    }
-
+    this.isEnabledXssPrevention = initializedConfig.isEnabledXssPrevention || true;
+    this.tagWhiteList = initializedConfig.tagWhiteList || recommendedXssWhiteList.tags;
+    this.attrWhiteList = initializedConfig.attrWhiteList || recommendedXssWhiteList.attrs;
   }
 
 }
-
 module.exports = XssOption;

resource/js/util/PreProcessor/XssFilter.js

@@ -4,12 +4,21 @@ import xssOption from '../../../../lib/util/xssOption';
 export default class XssFilter {
 
   constructor(crowi) {
-    this.xssOption = new xssOption(crowi.config);
-    this.xss = new Xss(this.xssOption);
+    this.crowi = crowi;
+
+    if (crowi.config.isEnabledXssPrevention) {
+      this.xssOption = new xssOption(crowi.config);
+      this.xss = new Xss(this.xssOption);
+    }
   }
 
   process(markdown) {
-    return this.xss.process(markdown);
+    if (this.crowi.config.isEnabledXssPrevention) {
+      return this.xss.process(markdown);
+    }
+    else {
+      return markdown;
+    }
   }
 
 }