Prevent XSS in markdown rendering

This commit is contained in:
Cheng-Han, Wu 2016-02-11 02:36:52 -06:00
parent fdb9c47354
commit 6700f033ab
5 changed files with 11 additions and 4 deletions

View File

@ -33,6 +33,7 @@
"js-yaml": "~3.5.2", "js-yaml": "~3.5.2",
"to-markdown": "~1.3.0", "to-markdown": "~1.3.0",
"lz-string": "~1.4.4", "lz-string": "~1.4.4",
"flowchart": "~1.6.1" "flowchart": "~1.6.1",
"xss": "~0.2.10"
} }
} }

View File

@ -11,6 +11,7 @@ var shortId = require('shortid');
var metaMarked = require('meta-marked'); var metaMarked = require('meta-marked');
var querystring = require('querystring'); var querystring = require('querystring');
var request = require('request'); var request = require('request');
var xss = require('xss');
//core //core
var config = require("../config.js"); var config = require("../config.js");
@ -227,6 +228,7 @@ function showPublishNote(req, res, next) {
//na //na
} }
var updatetime = notedata.update_time; var updatetime = notedata.update_time;
body = xss(body); // prevent xss
var text = S(body).escapeHTML().s; var text = S(body).escapeHTML().s;
var title = notedata.title; var title = notedata.title;
var decodedTitle = LZString.decompressFromBase64(title); var decodedTitle = LZString.decompressFromBase64(title);
@ -610,6 +612,7 @@ function showPublishSlide(req, res, next) {
var decodedTitle = LZString.decompressFromBase64(title); var decodedTitle = LZString.decompressFromBase64(title);
if (decodedTitle) title = decodedTitle; if (decodedTitle) title = decodedTitle;
title = Note.generateWebTitle(title); title = Note.generateWebTitle(title);
body = xss(body); // prevent xss
var text = S(body).escapeHTML().s; var text = S(body).escapeHTML().s;
render(res, title, text); render(res, title, text);
}); });

View File

@ -14,7 +14,6 @@
"cheerio": "^0.19.0", "cheerio": "^0.19.0",
"compression": "^1.6.0", "compression": "^1.6.0",
"connect-mongo": "^1.1.0", "connect-mongo": "^1.1.0",
"kerberos": "0.0.17",
"cookie": "0.2.3", "cookie": "0.2.3",
"cookie-parser": "1.4.1", "cookie-parser": "1.4.1",
"ejs": "^2.3.4", "ejs": "^2.3.4",
@ -25,6 +24,7 @@
"highlight.js": "^9.1.0", "highlight.js": "^9.1.0",
"imgur": "^0.1.7", "imgur": "^0.1.7",
"jsdom-nogyp": "^0.8.3", "jsdom-nogyp": "^0.8.3",
"kerberos": "0.0.17",
"lz-string": "1.4.4", "lz-string": "1.4.4",
"markdown-pdf": "^6.0.0", "markdown-pdf": "^6.0.0",
"marked": "^0.3.5", "marked": "^0.3.5",
@ -33,6 +33,7 @@
"moment": "^2.11.1", "moment": "^2.11.1",
"mongoose": "^4.3.6", "mongoose": "^4.3.6",
"morgan": "^1.6.1", "morgan": "^1.6.1",
"mustache": "2.2.1",
"node-uuid": "^1.4.7", "node-uuid": "^1.4.7",
"passport": "^0.3.2", "passport": "^0.3.2",
"passport-dropbox-oauth2": "^1.0.0", "passport-dropbox-oauth2": "^1.0.0",
@ -43,13 +44,13 @@
"pg": "4.x", "pg": "4.x",
"randomcolor": "^0.4.3", "randomcolor": "^0.4.3",
"request": "^2.69.0", "request": "^2.69.0",
"reveal.js": "3.2.0",
"shortid": "2.2.4", "shortid": "2.2.4",
"socket.io": "1.4.4", "socket.io": "1.4.4",
"string": "^3.3.1", "string": "^3.3.1",
"toobusy-js": "^0.4.2", "toobusy-js": "^0.4.2",
"winston": "^2.1.1", "winston": "^2.1.1",
"mustache": "2.2.1", "xss": "^0.2.10"
"reveal.js": "3.2.0"
}, },
"engines": { "engines": {
"node": ">=4.x" "node": ">=4.x"

View File

@ -2131,6 +2131,7 @@ var lastResult = null;
function updateViewInner() { function updateViewInner() {
if (currentMode == modeType.edit || !isDirty) return; if (currentMode == modeType.edit || !isDirty) return;
var value = editor.getValue(); var value = editor.getValue();
value = filterXSS(value); // prevent xss
md.meta = {}; md.meta = {};
md.render(value); //only for get meta md.render(value); //only for get meta
parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix')); parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix'));

View File

@ -29,6 +29,7 @@
<script src="/vendor/remarkable-regex.js" defer></script> <script src="/vendor/remarkable-regex.js" defer></script>
<script src="/vendor/gist-embed.js" defer></script> <script src="/vendor/gist-embed.js" defer></script>
<script src="/vendor/lz-string/libs/lz-string.min.js" defer></script> <script src="/vendor/lz-string/libs/lz-string.min.js" defer></script>
<script src="/vendor/xss/dist/xss.min.js" defer></script>
<script src="/vendor/string.min.js" defer></script> <script src="/vendor/string.min.js" defer></script>
<script src="/vendor/highlight-js/highlight.min.js" defer></script> <script src="/vendor/highlight-js/highlight.min.js" defer></script>
<script src="/vendor/js.cookie.js" defer></script> <script src="/vendor/js.cookie.js" defer></script>