From cf290e86e13b6230707f9ce8c6ee0b793c2323c0 Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Sun, 14 Aug 2016 18:32:22 +0800 Subject: [PATCH] Update XSS policy to allow iframe and link with custom protocol --- public/js/render.js | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/public/js/render.js b/public/js/render.js index 687d23c8..ff1ec9b3 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -1,22 +1,35 @@ -var whiteListTag = ['style', '!--', 'kbd']; +// allow some attributes var whiteListAttr = ['id', 'class', 'style']; +// allow link starts with '.', '/' and custom protocol with '://' +var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/; +// custom white list +var whiteList = filterXSS.whiteList; +// allow ol specify start number +whiteList['ol'] = ['start']; +// allow style tag +whiteList['style'] = []; +// allow kbd tag +whiteList['kbd'] = []; +// allow ifram tag with some safe attributes +whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height']; var filterXSSOptions = { allowCommentTag: true, + whiteList: whiteList, escapeHtml: function (html) { - // to allow html comment in multiple lines + // allow html comment in multiple lines return html.replace(/<(.*?)>/g, '<$1>'); }, onIgnoreTag: function (tag, html, options) { - // allow style in html - if (whiteListTag.indexOf(tag) !== -1) { + // allow comment tag + if (tag == "!--") { // do not filter its attributes return html; } }, onTagAttr: function (tag, name, value, isWhiteAttr) { - // allow href starts with '.' or '/' - if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) { + // allow href and src that match linkRegex + if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) { return name + '="' + filterXSS.escapeAttrValue(value) + '"'; } }, @@ -26,10 +39,6 @@ var filterXSSOptions = { // escape its value using built-in escapeAttrValue function return name + '="' + filterXSS.escapeAttrValue(value) + '"'; } - // allow ol specify start number - if (tag === 'ol' && name === 'start') { - return name + '="' + filterXSS.escapeAttrValue(value) + '"'; - } } };