Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wiki-js
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
1
Issues
1
List
Board
Labels
Milestones
Merge Requests
1
Merge Requests
1
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
wiki-js
Commits
98bf0d9c
Commit
98bf0d9c
authored
May 08, 2020
by
NGPixel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
fix: escape mustache template chars in content
parent
2ff0e42c
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
43 additions
and
49 deletions
+43
-49
package.json
package.json
+1
-0
renderer.js
server/modules/rendering/html-core/renderer.js
+20
-1
definition.yml
server/modules/rendering/html-security/definition.yml
+7
-0
renderer.js
server/modules/rendering/html-security/renderer.js
+15
-48
yarn.lock
yarn.lock
+0
-0
No files found.
package.json
View file @
98bf0d9c
...
...
@@ -92,6 +92,7 @@
"
js-base64
"
:
"2.5.2"
,
"
js-binary
"
:
"1.2.0"
,
"
js-yaml
"
:
"3.13.1"
,
"
jsdom
"
:
"16.2.2"
,
"
jsonwebtoken
"
:
"8.5.1"
,
"
katex
"
:
"0.11.1"
,
"
klaw
"
:
"3.0.0"
,
...
...
server/modules/rendering/html-core/renderer.js
View file @
98bf0d9c
...
...
@@ -230,12 +230,31 @@ module.exports = {
headers
.
push
(
headerSlug
)
})
let
output
=
decodeEscape
(
$
.
html
(
'body'
).
replace
(
'<body>'
,
''
).
replace
(
'</body>'
,
''
))
// --------------------------------
// Escape mustache expresions
// --------------------------------
function
iterateMustacheNode
(
node
)
{
const
list
=
$
(
node
).
contents
().
toArray
()
list
.
forEach
(
item
=>
{
if
(
item
.
type
===
'text'
)
{
const
rawText
=
$
(
item
).
text
()
if
(
rawText
.
indexOf
(
'{{'
)
>=
0
&&
rawText
.
indexOf
(
'}}'
)
>
1
)
{
$
(
item
).
parent
().
attr
(
'v-pre'
,
true
)
}
}
else
{
iterateMustacheNode
(
item
)
}
})
}
iterateMustacheNode
(
$
.
root
())
// --------------------------------
// STEP: POST
// --------------------------------
let
output
=
decodeEscape
(
$
.
html
(
'body'
).
replace
(
'<body>'
,
''
).
replace
(
'</body>'
,
''
))
for
(
let
child
of
_
.
sortBy
(
_
.
filter
(
this
.
children
,
[
'step'
,
'post'
]),
[
'order'
]))
{
const
renderer
=
require
(
`../
${
_
.
kebabCase
(
child
.
key
)}
/renderer.js`
)
output
=
await
renderer
.
init
(
output
,
child
.
config
)
...
...
server/modules/rendering/html-security/definition.yml
View file @
98bf0d9c
...
...
@@ -13,3 +13,10 @@ props:
title
:
Sanitize HTML
default
:
true
hint
:
Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks
order
:
1
allowIFrames
:
type
:
Boolean
title
:
Allow iframes
default
:
false
hint
:
iframes will not be stripped if enabled. (Not recommended)
order
:
2
server/modules/rendering/html-security/renderer.js
View file @
98bf0d9c
const
xss
=
require
(
'xss'
)
const
{
JSDOM
}
=
require
(
'jsdom'
)
const
createDOMPurify
=
require
(
'dompurify'
)
module
.
exports
=
{
async
init
(
input
,
config
)
{
if
(
config
.
safeHTML
)
{
input
=
xss
(
input
,
{
whiteList
:
{
...
xss
.
whiteList
,
a
:
[
'class'
,
'id'
,
'href'
,
'style'
,
'target'
,
'title'
,
'rel'
],
blockquote
:
[
'class'
,
'id'
,
'style'
],
code
:
[
'class'
,
'style'
],
details
:
[
'class'
,
'style'
],
defs
:
[
'stroke'
,
'fill'
,
'stroke-width'
,
'transform'
,
'id'
],
div
:
[
'class'
,
'id'
,
'style'
],
em
:
[
'class'
,
'style'
],
figcaption
:
[
'class'
,
'style'
,
'id'
],
figure
:
[
'class'
,
'style'
,
'id'
],
g
:
[
'transform'
,
'stroke'
,
'stroke-width'
,
'fill'
],
h1
:
[
'class'
,
'id'
,
'style'
],
h2
:
[
'class'
,
'id'
,
'style'
],
h3
:
[
'class'
,
'id'
,
'style'
],
h4
:
[
'class'
,
'id'
,
'style'
],
h5
:
[
'class'
,
'id'
,
'style'
],
h6
:
[
'class'
,
'id'
,
'style'
],
i
:
[
'class'
,
'id'
,
'style'
],
img
:
[
'alt'
,
'class'
,
'draggable'
,
'height'
,
'id'
,
'src'
,
'style'
,
'width'
],
input
:
[
'class'
,
'disabled'
,
'type'
,
'checked'
,
'id'
],
kbd
:
[
'class'
],
label
:
[
'class'
,
'id'
,
'for'
],
li
:
[
'class'
,
'id'
,
'style'
],
mark
:
[
'class'
,
'style'
],
ol
:
[
'class'
,
'id'
,
'style'
,
'start'
],
p
:
[
'class'
,
'id'
,
'style'
],
path
:
[
'd'
,
'style'
,
'id'
],
pre
:
[
'class'
,
'id'
,
'style'
],
section
:
[
'class'
,
'style'
],
span
:
[
'class'
,
'style'
,
'aria-hidden'
],
strong
:
[
'class'
,
'style'
],
summary
:
[
'class'
,
'id'
,
'style'
],
svg
:
[
'width'
,
'height'
,
'viewbox'
,
'preserveaspectratio'
,
'style'
],
table
:
[
'border'
,
'class'
,
'id'
,
'style'
,
'width'
],
tabset
:
[],
tbody
:
[
'class'
,
'style'
],
td
:
[
'align'
,
'class'
,
'colspan'
,
'rowspan'
,
'style'
,
'valign'
,
'id'
],
template
:
[
'v-slot:tabs'
,
'v-slot:content'
],
th
:
[
'align'
,
'class'
,
'colspan'
,
'rowspan'
,
'style'
,
'valign'
,
'id'
],
thead
:
[
'class'
,
'style'
],
tr
:
[
'class'
,
'rowspan'
,
'style'
,
'align'
,
'valign'
,
'id'
],
ul
:
[
'class'
,
'id'
,
'style'
],
use
:
[
'href'
,
'transform'
]
},
css
:
false
const
window
=
new
JSDOM
(
''
).
window
const
DOMPurify
=
createDOMPurify
(
window
)
const
allowedAttrs
=
[
'v-pre'
,
'v-slot:tabs'
,
'v-slot:content'
]
const
allowedTags
=
[
'tabset'
,
'template'
]
if
(
config
.
allowIFrames
)
{
allowedTags
.
push
(
'iframe'
)
}
input
=
DOMPurify
.
sanitize
(
input
,
{
ADD_ATTR
:
allowedAttrs
,
ADD_TAGS
:
allowedTags
})
}
return
input
...
...
yarn.lock
View file @
98bf0d9c
This diff was suppressed by a .gitattributes entry.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
