hedgedoc/public/js/render.js

/* eslint-env browser, jquery */
// allow some attributes

const filterXSS = require('xss')

const whiteListAttr = ['id', 'class', 'style']
window.whiteListAttr = whiteListAttr
// allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://
const linkRegex = /^(?!javascript:\/\/)([\w|-]+:\/\/)|^([.|/])+/i
// allow data uri, from https://gist.github.com/bgrins/6194623
const dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
// custom white list
const whiteList = filterXSS.whiteList
// allow ol specify start number
whiteList.ol = ['start']
// allow li specify value number
whiteList.li = ['value']
// allow style tag
whiteList.style = []
// allow kbd tag
whiteList.kbd = []
// allow ifram tag with some safe attributes
whiteList.iframe = ['allowfullscreen', 'name', 'referrerpolicy', 'src', 'width', 'height']
// allow summary tag
whiteList.summary = []
// allow ruby tag
whiteList.ruby = []
// allow rp tag for ruby
whiteList.rp = []
// allow rt tag for ruby
whiteList.rt = []
// allow figure tag
whiteList.figure = []
// allow figcaption tag
whiteList.figcaption = []

const filterXSSOptions = {
  allowCommentTag: true,
  whiteList,
  escapeHtml: function (html) {
    // allow html comment in multiple lines
    return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
  },
  onIgnoreTag: function (tag, html, options) {
    // allow comment tag
    if (tag === '!--') {
      // do not filter its attributes
      return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
    }
  },
  onTagAttr: function (tag, name, value, isWhiteAttr) {
    // allow href and src that match linkRegex
    if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
      return name + '="' + filterXSS.escapeAttrValue(value) + '"'
    }
    // allow data uri in img src
    if (isWhiteAttr && (tag === 'img' && name === 'src') && dataUriRegex.test(value)) {
      return name + '="' + filterXSS.escapeAttrValue(value) + '"'
    }
  },
  onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
    // allow attr start with 'data-' or in the whiteListAttr
    if (name.substr(0, 5) === 'data-' || window.whiteListAttr.indexOf(name) !== -1) {
      // escape its value using built-in escapeAttrValue function
      return name + '="' + filterXSS.escapeAttrValue(value) + '"'
    }
  }
}

function preventXSS (html) {
  return filterXSS(html, filterXSSOptions)
}
window.preventXSS = preventXSS

module.exports = {
  preventXSS,
  escapeAttrValue: filterXSS.escapeAttrValue
}
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`/* eslint-env browser, jquery */`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 06:32:22 -04:00			`// allow some attributes`
Remove the xss library from webpack We can load the xss functions directly from the library instead of loading them through the expose loader of webpack, this should simplify the setup and maybe even improve speed a bit. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-11-10 14:24:41 -05:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const filterXSS = require('xss')`
Remove the xss library from webpack We can load the xss functions directly from the library instead of loading them through the expose loader of webpack, this should simplify the setup and maybe even improve speed a bit. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-11-10 14:24:41 -05:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const whiteListAttr = ['id', 'class', 'style']`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`window.whiteListAttr = whiteListAttr`
Fix XSS vulnerability in link regex [Security Issue] 2017-03-22 06:26:35 -04:00			`// allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const linkRegex = /^(?!javascript:\/\/)([\w\|-]+:\/\/)\|^([.\|/])+/i`
Update to support data uri in src attribute of image tag 2016-08-14 23:00:02 -04:00			`// allow data uri, from https://gist.github.com/bgrins/6194623`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const dataUriRegex = /^\sdata:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()+;=\-._~:@/?%\s])\s$/i`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 06:32:22 -04:00			`// custom white list`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const whiteList = filterXSS.whiteList`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 06:32:22 -04:00			`// allow ol specify start number`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.ol = ['start']`
Update to allow li tag specify value number 2017-02-17 08:56:35 -05:00			`// allow li specify value number`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.li = ['value']`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 06:32:22 -04:00			`// allow style tag`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.style = []`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 06:32:22 -04:00			`// allow kbd tag`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.kbd = []`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 06:32:22 -04:00			`// allow ifram tag with some safe attributes`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.iframe = ['allowfullscreen', 'name', 'referrerpolicy', 'src', 'width', 'height']`
Remove manual allow details tag since default already allow it Signed-off-by: Max Wu <jackymaxj@gmail.com> 2018-02-26 07:54:57 -05:00			`// allow summary tag`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.summary = []`
Extend HTML5 support by whitelisting various tags HTML5 provides a wide feature set of useful elements. Since Markdown usually supports HTML it should be able to use these HTML5 tags as well. As they were requested by some users and they where checked for being safe, whitelisting them isn't a problem. To make the experience the same as on GitHub when it comes to the basic look and feel of the rendered markdown, some CSS was added to make the summary and the details tag look like on GitHub. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-02-25 08:48:50 -05:00			`// allow ruby tag`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.ruby = []`
Update to allow rp tag for ruby Signed-off-by: Max Wu <jackymaxj@gmail.com> 2018-02-26 07:55:10 -05:00			`// allow rp tag for ruby`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.rp = []`
Extend HTML5 support by whitelisting various tags HTML5 provides a wide feature set of useful elements. Since Markdown usually supports HTML it should be able to use these HTML5 tags as well. As they were requested by some users and they where checked for being safe, whitelisting them isn't a problem. To make the experience the same as on GitHub when it comes to the basic look and feel of the rendered markdown, some CSS was added to make the summary and the details tag look like on GitHub. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-02-25 08:48:50 -05:00			`// allow rt tag for ruby`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.rt = []`
Extend HTML5 support by whitelisting various tags HTML5 provides a wide feature set of useful elements. Since Markdown usually supports HTML it should be able to use these HTML5 tags as well. As they were requested by some users and they where checked for being safe, whitelisting them isn't a problem. To make the experience the same as on GitHub when it comes to the basic look and feel of the rendered markdown, some CSS was added to make the summary and the details tag look like on GitHub. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-02-25 08:48:50 -05:00			`// allow figure tag`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.figure = []`
Extend HTML5 support by whitelisting various tags HTML5 provides a wide feature set of useful elements. Since Markdown usually supports HTML it should be able to use these HTML5 tags as well. As they were requested by some users and they where checked for being safe, whitelisting them isn't a problem. To make the experience the same as on GitHub when it comes to the basic look and feel of the rendered markdown, some CSS was added to make the summary and the details tag look like on GitHub. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-02-25 08:48:50 -05:00			`// allow figcaption tag`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`whiteList.figcaption = []`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 15:33:21 -05:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const filterXSSOptions = {`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`allowCommentTag: true,`
Adapt code for eslint-config-standard 17 Signed-off-by: David Mehren <git@herrmehren.de> 2022-05-01 15:14:27 -04:00			`whiteList,`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`escapeHtml: function (html) {`
Fix render.js code styles 2017-03-22 06:26:30 -04:00			`// allow html comment in multiple lines`
Fix unclosed tags might cause XSS [Security Issue] 2017-09-27 06:20:04 -04:00			`return html.replace(/<(?!!--)/g, '<').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '>').replace(/__HTML_COMMENT_END__/g, '-->')`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`},`
			`onIgnoreTag: function (tag, html, options) {`
Fix render.js code styles 2017-03-22 06:26:30 -04:00			`// allow comment tag`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`if (tag === '!--') {`
Fix eslint warnings Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2019-05-30 18:27:56 -04:00			`// do not filter its attributes`
Fix to escape html comment tag [Security Issue] Signed-off-by: Max Wu <jackymaxj@gmail.com> 2018-12-28 03:42:55 -05:00			`return html.replace(/<(?!!--)/g, '<').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '>').replace(/__HTML_COMMENT_END__/g, '-->')`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`}`
			`},`
			`onTagAttr: function (tag, name, value, isWhiteAttr) {`
Fix render.js code styles 2017-03-22 06:26:30 -04:00			`// allow href and src that match linkRegex`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`if (isWhiteAttr && (name === 'href' \|\| name === 'src') && linkRegex.test(value)) {`
			`return name + '="' + filterXSS.escapeAttrValue(value) + '"'`
			`}`
Fix render.js code styles 2017-03-22 06:26:30 -04:00			`// allow data uri in img src`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`if (isWhiteAttr && (tag === 'img' && name === 'src') && dataUriRegex.test(value)) {`
			`return name + '="' + filterXSS.escapeAttrValue(value) + '"'`
			`}`
			`},`
			`onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {`
Fix render.js code styles 2017-03-22 06:26:30 -04:00			`// allow attr start with 'data-' or in the whiteListAttr`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`if (name.substr(0, 5) === 'data-' \|\| window.whiteListAttr.indexOf(name) !== -1) {`
Fix render.js code styles 2017-03-22 06:26:30 -04:00			`// escape its value using built-in escapeAttrValue function`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`return name + '="' + filterXSS.escapeAttrValue(value) + '"'`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 15:33:21 -05:00			`}`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`}`
			`}`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 15:33:21 -05:00
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`function preventXSS (html) {`
			`return filterXSS(html, filterXSSOptions)`
Resolve dependency module requiring * es5 style module exports * remove script tag require * webpack config ProvidePlugin Note that this commit only fix JavaScript module loading runtime error. 2016-10-08 08:02:30 -04:00			`}`
Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. 2017-03-08 13:41:05 -05:00			`window.preventXSS = preventXSS`
Resolve dependency module requiring * es5 style module exports * remove script tag require * webpack config ProvidePlugin Note that this commit only fix JavaScript module loading runtime error. 2016-10-08 08:02:30 -04:00
			`module.exports = {`
Adapt code for eslint-config-standard 17 Signed-off-by: David Mehren <git@herrmehren.de> 2022-05-01 15:14:27 -04:00			`preventXSS,`
Remove the xss library from webpack We can load the xss functions directly from the library instead of loading them through the expose loader of webpack, this should simplify the setup and maybe even improve speed a bit. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-11-10 14:24:41 -05:00			`escapeAttrValue: filterXSS.escapeAttrValue`
Resolve dependency module requiring * es5 style module exports * remove script tag require * webpack config ProvidePlugin Note that this commit only fix JavaScript module loading runtime error. 2016-10-08 08:02:30 -04:00			`}`