feat: rendering security module

2019-12-11 23:35:54 -05:00
parent 4fb08cb126
commit 278cd7173d
8 changed files with 82 additions and 20 deletions
--- a/server/modules/rendering/html-codehighlighter/definition.yml
+++ b/server/modules/rendering/html-codehighlighter/definition.yml
@@ -5,4 +5,5 @@ author: requarks.io
 icon: mdi-code-braces
 enabledDefault: true
 dependsOn: htmlCore
+step: pre
 props: {}
--- a/server/modules/rendering/html-core/renderer.js
+++ b/server/modules/rendering/html-core/renderer.js
@@ -14,7 +14,11 @@ module.exports = {
      return ''
    }

-    for (let child of this.children) {
+    // --------------------------------
+    // STEP: PRE
+    // --------------------------------
+
+    for (let child of _.reject(this.children, ['step', 'post'])) {
      const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
      renderer.init($, child.config)
    }
@@ -211,6 +215,17 @@ module.exports = {
      headers.push(headerSlug)
    })

-    return $.html('body').replace('<body>', '').replace('</body>', '')
+    let output = $.html('body').replace('<body>', '').replace('</body>', '')
+
+    // --------------------------------
+    // STEP: POST
+    // --------------------------------
+
+    for (let child of _.filter(this.children, ['step', 'post'])) {
+      const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
+      output = renderer.init(output, child.config)
+    }
+
+    return output
  }
 }
--- a/server/modules/rendering/html-mathjax/definition.yml
+++ b/server/modules/rendering/html-mathjax/definition.yml
@@ -5,4 +5,5 @@ author: requarks.io
 icon: mdi-function-variant
 enabledDefault: false
 dependsOn: htmlCore
+step: pre
 props: {}
--- a/server/modules/rendering/html-security/definition.yml
+++ b/server/modules/rendering/html-security/definition.yml
@@ -5,14 +5,10 @@ author: requarks.io
 icon: mdi-fire
 enabledDefault: true
 dependsOn: htmlCore
+step: post
 props:
-  stripJS:
+  safeHTML:
    type: Boolean
-    title: Strip Javascript
-    default: false
-    hint: Javascript code within code blocks won't be affected
-  filterBadWords:
-    type: Boolean
-    title: Filter Bad Words
-    default: false
-    hint: Replace bad words with asterisks
+    title: Sanitize HTML
+    default: true
+    hint: Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@@ -1,5 +1,38 @@
-module.exports = {
-  init($, config) {
+const xss = require('xss')

+module.exports = {
+  async init(input, config) {
+    if (config.safeHTML) {
+      input = xss(input, {
+        whiteList: {
+          ...xss.whiteList,
+          a: ['class', 'id', 'href', 'target', 'title'],
+          blockquote: ['class', 'id'],
+          code: ['class'],
+          div: ['class', 'id'],
+          em: ['class'],
+          h1: ['class', 'id'],
+          h2: ['class', 'id'],
+          h3: ['class', 'id'],
+          h4: ['class', 'id'],
+          h5: ['class', 'id'],
+          h6: ['class', 'id'],
+          img: ['alt', 'class', 'draggable', 'height', 'src', 'width'],
+          li: ['class'],
+          ol: ['class'],
+          p: ['class'],
+          pre: ['class'],
+          strong: ['class'],
+          table: ['border', 'class', 'id', 'width'],
+          tbody: ['class'],
+          td: ['align', 'class', 'colspan', 'rowspan', 'valign'],
+          th: ['align', 'class', 'colspan', 'rowspan', 'valign'],
+          thead: ['class'],
+          tr: ['class', 'rowspan', 'align', 'valign'],
+          ul: ['class']
+        }
+      })
+    }
+    return input
  }
 }