liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: escape mustache template chars in content

Browse Source
This commit is contained in:
NGPixel
2020-05-08 17:00:02 -04:00
parent 2ff0e42c1d
commit 98bf0d9ccb
5 changed files with 207 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
server/modules/rendering/html-core/renderer.js
View File

@@ -230,12 +230,31 @@ module.exports = {
headers.push(headerSlug)
})
let output = decodeEscape($.html('body').replace('<body>', '').replace('</body>', ''))
// --------------------------------
// Escape mustache expresions
// --------------------------------
function iterateMustacheNode (node) {
const list = $(node).contents().toArray()
list.forEach(item => {
if (item.type === 'text') {
const rawText = $(item).text()
if (rawText.indexOf('{{') >= 0 && rawText.indexOf('}}') > 1) {
$(item).parent().attr('v-pre', true)
}
} else {
iterateMustacheNode(item)
}
})
}
iterateMustacheNode($.root())
// --------------------------------
// STEP: POST
// --------------------------------
let output = decodeEscape($.html('body').replace('<body>', '').replace('</body>', ''))
for (let child of _.sortBy(_.filter(this.children, ['step', 'post']), ['order'])) {
const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`)
output = await renderer.init(output, child.config)

7
server/modules/rendering/html-security/definition.yml
View File

@@ -13,3 +13,10 @@ props:
title: Sanitize HTML
default: true
hint: Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks
order: 1
allowIFrames:
type: Boolean
title: Allow iframes
default: false
hint: iframes will not be stripped if enabled. (Not recommended)
order: 2

63
server/modules/rendering/html-security/renderer.js
View File

@@ -1,55 +1,22 @@
const xss = require('xss')
const { JSDOM } = require('jsdom')
const createDOMPurify = require('dompurify')
module.exports = {
async init(input, config) {
if (config.safeHTML) {
input = xss(input, {
whiteList: {
...xss.whiteList,
a: ['class', 'id', 'href', 'style', 'target', 'title', 'rel'],
blockquote: ['class', 'id', 'style'],
code: ['class', 'style'],
details: ['class', 'style'],
defs: ['stroke', 'fill', 'stroke-width', 'transform', 'id'],
div: ['class', 'id', 'style'],
em: ['class', 'style'],
figcaption: ['class', 'style', 'id'],
figure: ['class', 'style', 'id'],
g: ['transform', 'stroke', 'stroke-width', 'fill'],
h1: ['class', 'id', 'style'],
h2: ['class', 'id', 'style'],
h3: ['class', 'id', 'style'],
h4: ['class', 'id', 'style'],
h5: ['class', 'id', 'style'],
h6: ['class', 'id', 'style'],
i: ['class', 'id', 'style'],
img: ['alt', 'class', 'draggable', 'height', 'id', 'src', 'style', 'width'],
input: ['class', 'disabled', 'type', 'checked', 'id'],
kbd: ['class'],
label: ['class', 'id', 'for'],
li: ['class', 'id', 'style'],
mark: ['class', 'style'],
ol: ['class', 'id', 'style', 'start'],
p: ['class', 'id', 'style'],
path: ['d', 'style', 'id'],
pre: ['class', 'id', 'style'],
section: ['class', 'style'],
span: ['class', 'style', 'aria-hidden'],
strong: ['class', 'style'],
summary: ['class', 'id', 'style'],
svg: ['width', 'height', 'viewbox', 'preserveaspectratio', 'style'],
table: ['border', 'class', 'id', 'style', 'width'],
tabset: [],
tbody: ['class', 'style'],
td: ['align', 'class', 'colspan', 'rowspan', 'style', 'valign', 'id'],
template: ['v-slot:tabs', 'v-slot:content'],
th: ['align', 'class', 'colspan', 'rowspan', 'style', 'valign', 'id'],
thead: ['class', 'style'],
tr: ['class', 'rowspan', 'style', 'align', 'valign', 'id'],
ul: ['class', 'id', 'style'],
use: ['href', 'transform']
},
css: false
const window = new JSDOM('').window
const DOMPurify = createDOMPurify(window)
const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content']
const allowedTags = ['tabset', 'template']
if (config.allowIFrames) {
allowedTags.push('iframe')
}
input = DOMPurify.sanitize(input, {
ADD_ATTR: allowedAttrs,
ADD_TAGS: allowedTags
})
}
return input