feat: rendering security module
This commit is contained in:
@@ -5,4 +5,5 @@ author: requarks.io
|
||||
icon: mdi-code-braces
|
||||
enabledDefault: true
|
||||
dependsOn: htmlCore
|
||||
step: pre
|
||||
props: {}
|
||||
|
@@ -14,7 +14,11 @@ module.exports = {
|
||||
return ''
|
||||
}
|
||||
|
||||
for (let child of this.children) {
|
||||
// --------------------------------
|
||||
// STEP: PRE
|
||||
// --------------------------------
|
||||
|
||||
for (let child of _.reject(this.children, ['step', 'post'])) {
|
||||
const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
|
||||
renderer.init($, child.config)
|
||||
}
|
||||
@@ -211,6 +215,17 @@ module.exports = {
|
||||
headers.push(headerSlug)
|
||||
})
|
||||
|
||||
return $.html('body').replace('<body>', '').replace('</body>', '')
|
||||
let output = $.html('body').replace('<body>', '').replace('</body>', '')
|
||||
|
||||
// --------------------------------
|
||||
// STEP: POST
|
||||
// --------------------------------
|
||||
|
||||
for (let child of _.filter(this.children, ['step', 'post'])) {
|
||||
const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
|
||||
output = renderer.init(output, child.config)
|
||||
}
|
||||
|
||||
return output
|
||||
}
|
||||
}
|
||||
|
@@ -5,4 +5,5 @@ author: requarks.io
|
||||
icon: mdi-function-variant
|
||||
enabledDefault: false
|
||||
dependsOn: htmlCore
|
||||
step: pre
|
||||
props: {}
|
||||
|
@@ -5,14 +5,10 @@ author: requarks.io
|
||||
icon: mdi-fire
|
||||
enabledDefault: true
|
||||
dependsOn: htmlCore
|
||||
step: post
|
||||
props:
|
||||
stripJS:
|
||||
safeHTML:
|
||||
type: Boolean
|
||||
title: Strip Javascript
|
||||
default: false
|
||||
hint: Javascript code within code blocks won't be affected
|
||||
filterBadWords:
|
||||
type: Boolean
|
||||
title: Filter Bad Words
|
||||
default: false
|
||||
hint: Replace bad words with asterisks
|
||||
title: Sanitize HTML
|
||||
default: true
|
||||
hint: Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks
|
||||
|
@@ -1,5 +1,38 @@
|
||||
module.exports = {
|
||||
init($, config) {
|
||||
const xss = require('xss')
|
||||
|
||||
module.exports = {
|
||||
async init(input, config) {
|
||||
if (config.safeHTML) {
|
||||
input = xss(input, {
|
||||
whiteList: {
|
||||
...xss.whiteList,
|
||||
a: ['class', 'id', 'href', 'target', 'title'],
|
||||
blockquote: ['class', 'id'],
|
||||
code: ['class'],
|
||||
div: ['class', 'id'],
|
||||
em: ['class'],
|
||||
h1: ['class', 'id'],
|
||||
h2: ['class', 'id'],
|
||||
h3: ['class', 'id'],
|
||||
h4: ['class', 'id'],
|
||||
h5: ['class', 'id'],
|
||||
h6: ['class', 'id'],
|
||||
img: ['alt', 'class', 'draggable', 'height', 'src', 'width'],
|
||||
li: ['class'],
|
||||
ol: ['class'],
|
||||
p: ['class'],
|
||||
pre: ['class'],
|
||||
strong: ['class'],
|
||||
table: ['border', 'class', 'id', 'width'],
|
||||
tbody: ['class'],
|
||||
td: ['align', 'class', 'colspan', 'rowspan', 'valign'],
|
||||
th: ['align', 'class', 'colspan', 'rowspan', 'valign'],
|
||||
thead: ['class'],
|
||||
tr: ['class', 'rowspan', 'align', 'valign'],
|
||||
ul: ['class']
|
||||
}
|
||||
})
|
||||
}
|
||||
return input
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user