Skip to content
This repository has been archived by the owner on May 12, 2023. It is now read-only.

Commit

Permalink
xss sanitizer touchups
Browse files Browse the repository at this point in the history
  • Loading branch information
@eugene-f02
eugene-f02 committed Jun 23, 2022
1 parent 4719c25 commit 0476be0
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 9 deletions.
6 changes: 3 additions & 3 deletions editormd.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
* Editor.md
*
* @file editormd.js
* @version v1.7.5
* @version v1.7.7
* @description Open source online markdown editor.
* @license MIT License
* @author Pandao
* {@link https://github.com/pandao/editor.md}
* @updateTime 2022-06-20
* @updateTime 2022-06-23
*/

;(function(factory) {
Expand Down Expand Up @@ -59,7 +59,7 @@
};

editormd.title = editormd.$name = "Editor.md";
editormd.version = "1.7.6";
editormd.version = "1.7.7";
editormd.homePage = "https://pandao.github.io/editor.md/";
editormd.classPrefix = "editormd-";

Expand Down
25 changes: 23 additions & 2 deletions lib/xss.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ var _ = require("./util");

function getDefaultWhiteList() {
return {
a: ["target", "href", "title"],
a: ["target", "href", "title", "rel"],
abbr: ["title"],
address: [],
area: ["shape", "coords", "href", "alt"],
Expand Down Expand Up @@ -195,6 +195,27 @@ function safeAttrValue(tag, name, value, cssFilter) {
// ) {
// return "";
// }

REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
return "";
}

REGEXP_DEFAULT_ON_TAG_ATTR_5.lastIndex = 0
if (REGEXP_DEFAULT_ON_TAG_ATTR_5.test(value)) {
return "";
}

if (tag == "iframe"){
if (
!(
value.substr(0, 7) === "http://" ||
value.substr(0, 8) === "https://"
)
) {
return ""
}
}
} else if (name === "background") {
// filter `background` attribute (maybe no use)
// `javascript:`
Expand Down Expand Up @@ -238,7 +259,7 @@ var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim;
// var REGEXP_DEFAULT_ON_TAG_ATTR_3 = /\/\*|\*\//gm;
var REGEXP_DEFAULT_ON_TAG_ATTR_4 =
/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/gi;
// var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;
var REGEXP_DEFAULT_ON_TAG_ATTR_5 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:/gi;
// var REGEXP_DEFAULT_ON_TAG_ATTR_6 = /^[\s"'`]*(d\s*a\s*t\s*a\s*)\:\s*image\//gi;
var REGEXP_DEFAULT_ON_TAG_ATTR_7 =
/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@ibm-skills-network/editor.md",
"version": "1.7.6",
"version": "1.7.7",
"description": "Open source online markdown editor.",
"directories": {
"doc": "docs",
Expand Down
2 changes: 1 addition & 1 deletion src/editormd.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
};

editormd.title = editormd.$name = "Editor.md";
editormd.version = "1.7.6";
editormd.version = "1.7.7";
editormd.homePage = "https://pandao.github.io/editor.md/";
editormd.classPrefix = "editormd-";

Expand Down

0 comments on commit 0476be0

Please sign in to comment.