fix: escape mustache template chars in content
This commit is contained in:
@@ -230,12 +230,31 @@ module.exports = {
|
||||
headers.push(headerSlug)
|
||||
})
|
||||
|
||||
let output = decodeEscape($.html('body').replace('<body>', '').replace('</body>', ''))
|
||||
// --------------------------------
|
||||
// Escape mustache expresions
|
||||
// --------------------------------
|
||||
|
||||
function iterateMustacheNode (node) {
|
||||
const list = $(node).contents().toArray()
|
||||
list.forEach(item => {
|
||||
if (item.type === 'text') {
|
||||
const rawText = $(item).text()
|
||||
if (rawText.indexOf('{{') >= 0 && rawText.indexOf('}}') > 1) {
|
||||
$(item).parent().attr('v-pre', true)
|
||||
}
|
||||
} else {
|
||||
iterateMustacheNode(item)
|
||||
}
|
||||
})
|
||||
}
|
||||
iterateMustacheNode($.root())
|
||||
|
||||
// --------------------------------
|
||||
// STEP: POST
|
||||
// --------------------------------
|
||||
|
||||
let output = decodeEscape($.html('body').replace('<body>', '').replace('</body>', ''))
|
||||
|
||||
for (let child of _.sortBy(_.filter(this.children, ['step', 'post']), ['order'])) {
|
||||
const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
|
||||
output = await renderer.init(output, child.config)
|
||||
|
@@ -13,3 +13,10 @@ props:
|
||||
title: Sanitize HTML
|
||||
default: true
|
||||
hint: Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks
|
||||
order: 1
|
||||
allowIFrames:
|
||||
type: Boolean
|
||||
title: Allow iframes
|
||||
default: false
|
||||
hint: iframes will not be stripped if enabled. (Not recommended)
|
||||
order: 2
|
||||
|
@@ -1,55 +1,22 @@
|
||||
const xss = require('xss')
|
||||
const { JSDOM } = require('jsdom')
|
||||
const createDOMPurify = require('dompurify')
|
||||
|
||||
module.exports = {
|
||||
async init(input, config) {
|
||||
if (config.safeHTML) {
|
||||
input = xss(input, {
|
||||
whiteList: {
|
||||
...xss.whiteList,
|
||||
a: ['class', 'id', 'href', 'style', 'target', 'title', 'rel'],
|
||||
blockquote: ['class', 'id', 'style'],
|
||||
code: ['class', 'style'],
|
||||
details: ['class', 'style'],
|
||||
defs: ['stroke', 'fill', 'stroke-width', 'transform', 'id'],
|
||||
div: ['class', 'id', 'style'],
|
||||
em: ['class', 'style'],
|
||||
figcaption: ['class', 'style', 'id'],
|
||||
figure: ['class', 'style', 'id'],
|
||||
g: ['transform', 'stroke', 'stroke-width', 'fill'],
|
||||
h1: ['class', 'id', 'style'],
|
||||
h2: ['class', 'id', 'style'],
|
||||
h3: ['class', 'id', 'style'],
|
||||
h4: ['class', 'id', 'style'],
|
||||
h5: ['class', 'id', 'style'],
|
||||
h6: ['class', 'id', 'style'],
|
||||
i: ['class', 'id', 'style'],
|
||||
img: ['alt', 'class', 'draggable', 'height', 'id', 'src', 'style', 'width'],
|
||||
input: ['class', 'disabled', 'type', 'checked', 'id'],
|
||||
kbd: ['class'],
|
||||
label: ['class', 'id', 'for'],
|
||||
li: ['class', 'id', 'style'],
|
||||
mark: ['class', 'style'],
|
||||
ol: ['class', 'id', 'style', 'start'],
|
||||
p: ['class', 'id', 'style'],
|
||||
path: ['d', 'style', 'id'],
|
||||
pre: ['class', 'id', 'style'],
|
||||
section: ['class', 'style'],
|
||||
span: ['class', 'style', 'aria-hidden'],
|
||||
strong: ['class', 'style'],
|
||||
summary: ['class', 'id', 'style'],
|
||||
svg: ['width', 'height', 'viewbox', 'preserveaspectratio', 'style'],
|
||||
table: ['border', 'class', 'id', 'style', 'width'],
|
||||
tabset: [],
|
||||
tbody: ['class', 'style'],
|
||||
td: ['align', 'class', 'colspan', 'rowspan', 'style', 'valign', 'id'],
|
||||
template: ['v-slot:tabs', 'v-slot:content'],
|
||||
th: ['align', 'class', 'colspan', 'rowspan', 'style', 'valign', 'id'],
|
||||
thead: ['class', 'style'],
|
||||
tr: ['class', 'rowspan', 'style', 'align', 'valign', 'id'],
|
||||
ul: ['class', 'id', 'style'],
|
||||
use: ['href', 'transform']
|
||||
},
|
||||
css: false
|
||||
const window = new JSDOM('').window
|
||||
const DOMPurify = createDOMPurify(window)
|
||||
|
||||
const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content']
|
||||
const allowedTags = ['tabset', 'template']
|
||||
|
||||
if (config.allowIFrames) {
|
||||
allowedTags.push('iframe')
|
||||
}
|
||||
|
||||
input = DOMPurify.sanitize(input, {
|
||||
ADD_ATTR: allowedAttrs,
|
||||
ADD_TAGS: allowedTags
|
||||
})
|
||||
}
|
||||
return input
|
||||
|
Reference in New Issue
Block a user