Commit graph

27 commits

Author SHA1 Message Date
RyotaK
8494f6a085
Don't accept sandbox attribute
Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default.

Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com>
2019-10-22 12:04:12 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Max Wu
067cfe2d1e Fix to escape html comment tag [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:42:55 +08:00
Sheogorath
c59b94a37b
Remove the xss library from webpack
We can load the xss functions directly from the library instead of
loading them through the expose loader of webpack, this should simplify
the setup and maybe even improve speed a bit.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-10 20:27:07 +01:00
Max Wu
95e9f96aa0 Update to allow rp tag for ruby
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 20:55:10 +08:00
Max Wu
711a11ce23 Remove manual allow details tag since default already allow it
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 20:54:57 +08:00
Sheogorath
5d347d583d
Extend HTML5 support by whitelisting various tags
HTML5 provides a wide feature set of useful elements. Since Markdown
usually supports HTML it should be able to use these HTML5 tags as well.
As they were requested by some users and they where checked for being
safe, whitelisting them isn't a problem. To make the experience the same
as on GitHub when it comes to the basic look and feel of the rendered
markdown, some CSS was added to make the summary and the details tag
look like on GitHub.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-25 14:54:21 +01:00
Sheogorath
93b91163cd
Prevent XSS vul by srcdoc in iframe 2017-11-24 10:10:50 +01:00
Wu Cheng-Han
9b00afb863 Fix unclosed tags might cause XSS [Security Issue] 2017-09-27 18:20:04 +08:00
Wu Cheng-Han
48df250491 Fix link regex should filter protocol with case insensitive flag [Security Issue] 2017-04-11 22:25:14 +08:00
Wu Cheng-Han
e629800457 Fix XSS vulnerability in link regex [Security Issue] 2017-03-22 18:26:35 +08:00
Wu Cheng-Han
0f3b028ed6 Fix render.js code styles 2017-03-22 18:26:30 +08:00
BoHong Li
5bc642d02e Use JavaScript Standard Style (part 2)
Fixed all fail on frontend code.
2017-03-09 02:41:05 +08:00
Wu Cheng-Han
1ca39d9c8e Update to allow li tag specify value number 2017-02-17 21:56:35 +08:00
Wu Cheng-Han
79d5b2c37f Fix slide might able to add unsafe attribute on section tag which cause XSS [Security Issue] 2016-11-26 22:46:58 +08:00
Wu Cheng-Han
ba2bfa2188 Update to support summary tag 2016-10-29 23:43:58 +08:00
Yukai Huang
e10203b7e9 More function expose workaround for reveal-markdown.js 2016-10-10 08:24:58 +08:00
Yukai Huang
963a435ae1 Resolve dependency module requiring
* es5 style module exports
* remove script tag require
* webpack config ProvidePlugin

Note that this commit only fix JavaScript module loading runtime error.
2016-10-08 20:02:30 +08:00
Wu Cheng-Han
ecd7218917 Update to support data uri in src attribute of image tag 2016-08-15 11:00:02 +08:00
Wu Cheng-Han
cf290e86e1 Update XSS policy to allow iframe and link with custom protocol 2016-08-14 18:32:22 +08:00
Cheng-Han, Wu
f6a995143d Update filter XSS to allow attr href starts with '.' or '/' 2016-04-20 18:18:52 +08:00
Cheng-Han, Wu
edc3a31dfd Fix XSS HTML replace might get wrong on the HTML comments in the code tags 2016-04-20 18:10:43 +08:00
Cheng-Han, Wu
049eae5024 Fixed filter XSS should allow ordered list specify start number 2016-03-04 23:17:59 +08:00
Cheng-Han, Wu
c509abbc39 Support kbd tag 2016-02-22 22:42:40 +08:00
Cheng-Han, Wu
2501b190ab Updated to support html comment tag in XSS 2016-02-16 09:51:22 -06:00
Cheng-Han, Wu
2a774064af Updated XSS filter options to allow style tag and style attribute 2016-02-11 14:33:21 -06:00
Cheng-Han, Wu
4c4a0e0f3f Fixed prevent XSS might break lots of tags and only need after rendered 2016-02-11 03:45:13 -06:00