feat: rendering security module

This commit is contained in:
NGPixel
2019-12-11 23:35:54 -05:00
parent 4fb08cb126
commit 278cd7173d
8 changed files with 82 additions and 20 deletions

View File

@@ -5,4 +5,5 @@ author: requarks.io
icon: mdi-code-braces
enabledDefault: true
dependsOn: htmlCore
step: pre
props: {}

View File

@@ -14,7 +14,11 @@ module.exports = {
return ''
}
for (let child of this.children) {
// --------------------------------
// STEP: PRE
// --------------------------------
for (let child of _.reject(this.children, ['step', 'post'])) {
const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
renderer.init($, child.config)
}
@@ -211,6 +215,17 @@ module.exports = {
headers.push(headerSlug)
})
return $.html('body').replace('<body>', '').replace('</body>', '')
let output = $.html('body').replace('<body>', '').replace('</body>', '')
// --------------------------------
// STEP: POST
// --------------------------------
for (let child of _.filter(this.children, ['step', 'post'])) {
const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
output = renderer.init(output, child.config)
}
return output
}
}

View File

@@ -5,4 +5,5 @@ author: requarks.io
icon: mdi-function-variant
enabledDefault: false
dependsOn: htmlCore
step: pre
props: {}

View File

@@ -5,14 +5,10 @@ author: requarks.io
icon: mdi-fire
enabledDefault: true
dependsOn: htmlCore
step: post
props:
stripJS:
safeHTML:
type: Boolean
title: Strip Javascript
default: false
hint: Javascript code within code blocks won't be affected
filterBadWords:
type: Boolean
title: Filter Bad Words
default: false
hint: Replace bad words with asterisks
title: Sanitize HTML
default: true
hint: Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks

View File

@@ -1,5 +1,38 @@
module.exports = {
init($, config) {
const xss = require('xss')
module.exports = {
async init(input, config) {
if (config.safeHTML) {
input = xss(input, {
whiteList: {
...xss.whiteList,
a: ['class', 'id', 'href', 'target', 'title'],
blockquote: ['class', 'id'],
code: ['class'],
div: ['class', 'id'],
em: ['class'],
h1: ['class', 'id'],
h2: ['class', 'id'],
h3: ['class', 'id'],
h4: ['class', 'id'],
h5: ['class', 'id'],
h6: ['class', 'id'],
img: ['alt', 'class', 'draggable', 'height', 'src', 'width'],
li: ['class'],
ol: ['class'],
p: ['class'],
pre: ['class'],
strong: ['class'],
table: ['border', 'class', 'id', 'width'],
tbody: ['class'],
td: ['align', 'class', 'colspan', 'rowspan', 'valign'],
th: ['align', 'class', 'colspan', 'rowspan', 'valign'],
thead: ['class'],
tr: ['class', 'rowspan', 'align', 'valign'],
ul: ['class']
}
})
}
return input
}
}