From f774a9690b4d06c1297b0f52f7bfcffc1ae514f2 Mon Sep 17 00:00:00 2001 From: yangjian Date: Wed, 20 May 2020 22:20:07 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E6=96=87=E6=A1=A3=E7=BC=96?= =?UTF-8?q?=E8=BE=91=E5=99=A8=E5=B7=A5=E5=85=B7=E6=A0=8F=E4=BD=8D=E7=BD=AE?= =?UTF-8?q?=EF=BC=8C=E4=BF=AE=E5=A4=8D=E7=BC=96=E8=BE=91=E5=99=A8=E9=83=A8?= =?UTF-8?q?=E5=88=86xss?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- static/editor.md/editormd.js | 44 +++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/static/editor.md/editormd.js b/static/editor.md/editormd.js index 61f256d..ed803ea 100644 --- a/static/editor.md/editormd.js +++ b/static/editor.md/editormd.js @@ -1072,12 +1072,14 @@ return false; } - if (top - editor.offset().top > 10 && top < editor.height()) + // if (top - editor.offset().top > 10 && top < editor.height()) + if (top - editor.offset().top > 10 && top - editor.offset().top < editor.height() - toolbar.height()) { toolbar.css({ position : "fixed", width : editor.width() + "px", - left : ($window.width() - editor.width()) / 2 + "px" + // left : ($window.width() - editor.width()) / 2 + "px" + left : editor.offset().left + "px" }); } else @@ -3610,7 +3612,8 @@ var headingHTML = ""; - headingHTML += ""; + // headingHTML += ""; + headingHTML += "]*>\s?/g,'') + "\" class=\"reference-link\">"; headingHTML += ""; headingHTML += (hasLinkReg) ? this.atLink(this.emoji(linkText)) : this.atLink(this.emoji(text)); headingHTML += ""; @@ -3862,17 +3865,25 @@ editormd.filterHTMLTags = function(html, filters) { if (typeof html !== "string") { - html = new String(html); + html = new String(html).toString(); } if (typeof filters !== "string") { - return html; + //return html; + // If no filters set use "script|on*" by default to avoid XSS + filters = "script|on*"; } var expression = filters.split("|"); var filterTags = expression[0].split(","); var attrs = expression[1]; + if(!filterTags.includes('allowScript') && !filterTags.includes('script')) + { + // Only allow script if requested specifically + filterTags.push('script'); + } + for (var i = 0, len = filterTags.length; i < len; i++) { var tag = filterTags[i]; @@ -3882,17 +3893,33 @@ //return html; + if (typeof attrs === "undefined") + { + // If no attrs set block "on*" to avoid XSS + attrs = "on*" + } + if (typeof attrs !== "undefined") { var htmlTagRegex = /\<(\w+)\s*([^\>]*)\>([^\>]*)\<\/(\w+)\>/ig; + var filterAttrs = attrs.split(","); + var filterOn = true; + + if(filterAttrs.includes('allowOn')) + { + // Only allow on* if requested specifically + filterOn = false; + } + if (attrs === "*") { html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) { return "<" + $2 + ">" + $4 + ""; }); } - else if (attrs === "on*") + // else if (attrs === "on*") + else if ((attrs === "on*") || filterOn) { html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) { var el = $("<" + $2 + ">" + $4 + ""); @@ -3916,10 +3943,11 @@ return el[0].outerHTML + text; }); } - else + // else + if(filterAttrs.length > 1 || (filterAttrs[0]!=="*" && filterAttrs[0]!=="on*")) { html = html.replace(htmlTagRegex, function($1, $2, $3, $4) { - var filterAttrs = attrs.split(","); + // var filterAttrs = attrs.split(","); var el = $($1); el.html($4);