From 4c4a0e0f3fe9b4e33f2182f3f8e20d87736b371d Mon Sep 17 00:00:00 2001 From: "Cheng-Han, Wu" Date: Thu, 11 Feb 2016 03:45:13 -0600 Subject: [PATCH] Fixed prevent XSS might break lots of tags and only need after rendered --- lib/response.js | 3 - package.json | 3 +- public/js/extra.js | 22 +- public/js/index.js | 5 +- public/js/pretty.js | 4 +- public/js/render.js | 13 ++ public/js/reveal-markdown.js | 405 ++++++++++++++++++++++++++++++++++ public/views/foot.ejs | 1 + public/views/pretty.ejs | 2 + public/views/slide/reveal.hbs | 4 +- 10 files changed, 442 insertions(+), 20 deletions(-) create mode 100644 public/js/render.js create mode 100755 public/js/reveal-markdown.js diff --git a/lib/response.js b/lib/response.js index c12c4caa2..07cb5ba91 100644 --- a/lib/response.js +++ b/lib/response.js @@ -11,7 +11,6 @@ var shortId = require('shortid'); var metaMarked = require('meta-marked'); var querystring = require('querystring'); var request = require('request'); -var xss = require('xss'); //core var config = require("../config.js"); @@ -228,7 +227,6 @@ function showPublishNote(req, res, next) { //na } var updatetime = notedata.update_time; - body = xss(body); // prevent xss var text = S(body).escapeHTML().s; var title = notedata.title; var decodedTitle = LZString.decompressFromBase64(title); @@ -612,7 +610,6 @@ function showPublishSlide(req, res, next) { var decodedTitle = LZString.decompressFromBase64(title); if (decodedTitle) title = decodedTitle; title = Note.generateWebTitle(title); - body = xss(body); // prevent xss var text = S(body).escapeHTML().s; render(res, title, text); }); diff --git a/package.json b/package.json index d96fabc73..4d7019669 100644 --- a/package.json +++ b/package.json @@ -49,8 +49,7 @@ "socket.io": "1.4.4", "string": "^3.3.1", "toobusy-js": "^0.4.2", - "winston": "^2.1.1", - "xss": "^0.2.10" + "winston": "^2.1.1" }, "engines": { "node": ">=4.x" diff --git a/public/js/extra.js b/public/js/extra.js index 2c9c9037d..a2ae83f6b 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -180,7 +180,7 @@ function finishView(view) { .each(function (key, value) { $.ajax({ type: 'GET', - url: '//vimeo.com/api/v2/video/' + $(value).attr('videoid') + '.json', + url: '//vimeo.com/api/v2/video/' + $(value).attr('data-videoid') + '.json', jsonp: 'callback', dataType: 'jsonp', success: function (data) { @@ -285,7 +285,7 @@ function finishView(view) { .each(function (key, value) { $.ajax({ type: 'GET', - url: '//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/' + $(value).attr('slideshareid') + '&format=json', + url: '//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/' + $(value).attr('data-slideshareid') + '&format=json', jsonp: 'callback', dataType: 'jsonp', success: function (data) { @@ -304,7 +304,7 @@ function finishView(view) { //speakerdeck view.find(".speakerdeck.raw").removeClass("raw") .each(function (key, value) { - var url = 'https://speakerdeck.com/oembed.json?url=https%3A%2F%2Fspeakerdeck.com%2F' + encodeURIComponent($(value).attr('speakerdeckid')); + var url = 'https://speakerdeck.com/oembed.json?url=https%3A%2F%2Fspeakerdeck.com%2F' + encodeURIComponent($(value).attr('data-speakerdeckid')); //use yql because speakerdeck not support jsonp $.ajax({ url: 'https://query.yahooapis.com/v1/public/yql', @@ -383,8 +383,8 @@ function exportToHTML(view) { $(value).attr('src', 'https://www.tortue.me/emoji/' + name + '.png'); }); //replace video to iframe - src.find("div[videoid]").each(function (key, value) { - var id = $(value).attr('videoid'); + src.find("div[data-videoid]").each(function (key, value) { + var id = $(value).attr('data-videoid'); var style = $(value).attr('style'); var url = null; if ($(value).hasClass('youtube')) { @@ -534,9 +534,9 @@ function smoothHashScroll() { } function imgPlayiframe(element, src) { - if (!$(element).attr("videoid")) return; + if (!$(element).attr("data-videoid")) return; var iframe = $(""); - $(iframe).attr("src", src + $(element).attr("videoid") + '?autoplay=1'); + $(iframe).attr("src", src + $(element).attr("data-videoid") + '?autoplay=1'); $(element).find('img').css('visibility', 'hidden'); $(element).append(iframe); } @@ -730,7 +730,7 @@ var youtubePlugin = new Plugin( var videoid = match[1]; if (!videoid) return; var div = $('
'); - div.attr('videoid', videoid); + div.attr('data-videoid', videoid); var thumbnail_src = '//img.youtube.com/vi/' + videoid + '/hqdefault.jpg'; var image = ''; div.append(image); @@ -749,7 +749,7 @@ var vimeoPlugin = new Plugin( var videoid = match[1]; if (!videoid) return; var div = $('
'); - div.attr('videoid', videoid); + div.attr('data-videoid', videoid); var icon = ''; div.append(icon); return div[0].outerHTML; @@ -799,7 +799,7 @@ var slidesharePlugin = new Plugin( function (match, utils) { var slideshareid = match[1]; var div = $('
'); - div.attr('slideshareid', slideshareid); + div.attr('data-slideshareid', slideshareid); return div[0].outerHTML; } ); @@ -812,7 +812,7 @@ var speakerdeckPlugin = new Plugin( function (match, utils) { var speakerdeckid = match[1]; var div = $('
'); - div.attr('speakerdeckid', speakerdeckid); + div.attr('data-speakerdeckid', speakerdeckid); return div[0].outerHTML; } ); diff --git a/public/js/index.js b/public/js/index.js index 1150f7ae4..2e797ac3e 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2132,11 +2132,12 @@ var lastResult = null; function updateViewInner() { if (currentMode == modeType.edit || !isDirty) return; var value = editor.getValue(); - value = filterXSS(value); // prevent xss md.meta = {}; md.render(value); //only for get meta parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix')); - var result = postProcess(md.render(value)).children().toArray(); + var rendered = md.render(value); + rendered = preventXSS(rendered); + var result = postProcess(rendered).children().toArray(); partialUpdate(result, lastResult, ui.area.markdown.children().toArray()); if (result && lastResult && result.length != lastResult.length) updateDataAttrs(result, ui.area.markdown.children().toArray()); diff --git a/public/js/pretty.js b/public/js/pretty.js index 43e833c23..a38dc244a 100644 --- a/public/js/pretty.js +++ b/public/js/pretty.js @@ -3,7 +3,9 @@ var text = $('