diff options
author | Cheng-Han, Wu | 2016-02-11 03:45:13 -0600 |
---|---|---|
committer | Cheng-Han, Wu | 2016-02-11 03:45:13 -0600 |
commit | 4c4a0e0f3fe9b4e33f2182f3f8e20d87736b371d (patch) | |
tree | d3e79f4a2481ad55eac4e56a56bb541fbb214783 | |
parent | 176021ccd85630abbc3af4001f9a590d4277e584 (diff) |
Fixed prevent XSS might break lots of tags and only need after rendered
Diffstat (limited to '')
-rw-r--r-- | lib/response.js | 3 | ||||
-rw-r--r-- | package.json | 3 | ||||
-rw-r--r-- | public/js/extra.js | 22 | ||||
-rw-r--r-- | public/js/index.js | 5 | ||||
-rw-r--r-- | public/js/pretty.js | 4 | ||||
-rw-r--r-- | public/js/render.js | 13 | ||||
-rwxr-xr-x | public/js/reveal-markdown.js | 405 | ||||
-rw-r--r-- | public/views/foot.ejs | 1 | ||||
-rw-r--r-- | public/views/pretty.ejs | 2 | ||||
-rw-r--r-- | public/views/slide/reveal.hbs | 4 |
10 files changed, 442 insertions, 20 deletions
diff --git a/lib/response.js b/lib/response.js index c12c4caa..07cb5ba9 100644 --- a/lib/response.js +++ b/lib/response.js @@ -11,7 +11,6 @@ var shortId = require('shortid'); var metaMarked = require('meta-marked'); var querystring = require('querystring'); var request = require('request'); -var xss = require('xss'); //core var config = require("../config.js"); @@ -228,7 +227,6 @@ function showPublishNote(req, res, next) { //na } var updatetime = notedata.update_time; - body = xss(body); // prevent xss var text = S(body).escapeHTML().s; var title = notedata.title; var decodedTitle = LZString.decompressFromBase64(title); @@ -612,7 +610,6 @@ function showPublishSlide(req, res, next) { var decodedTitle = LZString.decompressFromBase64(title); if (decodedTitle) title = decodedTitle; title = Note.generateWebTitle(title); - body = xss(body); // prevent xss var text = S(body).escapeHTML().s; render(res, title, text); }); diff --git a/package.json b/package.json index d96fabc7..4d701966 100644 --- a/package.json +++ b/package.json @@ -49,8 +49,7 @@ "socket.io": "1.4.4", "string": "^3.3.1", "toobusy-js": "^0.4.2", - "winston": "^2.1.1", - "xss": "^0.2.10" + "winston": "^2.1.1" }, "engines": { "node": ">=4.x" diff --git a/public/js/extra.js b/public/js/extra.js index 2c9c9037..a2ae83f6 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -180,7 +180,7 @@ function finishView(view) { .each(function (key, value) { $.ajax({ type: 'GET', - url: '//vimeo.com/api/v2/video/' + $(value).attr('videoid') + '.json', + url: '//vimeo.com/api/v2/video/' + $(value).attr('data-videoid') + '.json', jsonp: 'callback', dataType: 'jsonp', success: function (data) { @@ -285,7 +285,7 @@ function finishView(view) { .each(function (key, value) { $.ajax({ type: 'GET', - url: '//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/' + $(value).attr('slideshareid') + '&format=json', + url: '//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/' + $(value).attr('data-slideshareid') + '&format=json', jsonp: 'callback', dataType: 'jsonp', success: function (data) { @@ -304,7 +304,7 @@ function finishView(view) { //speakerdeck view.find(".speakerdeck.raw").removeClass("raw") .each(function (key, value) { - var url = 'https://speakerdeck.com/oembed.json?url=https%3A%2F%2Fspeakerdeck.com%2F' + encodeURIComponent($(value).attr('speakerdeckid')); + var url = 'https://speakerdeck.com/oembed.json?url=https%3A%2F%2Fspeakerdeck.com%2F' + encodeURIComponent($(value).attr('data-speakerdeckid')); //use yql because speakerdeck not support jsonp $.ajax({ url: 'https://query.yahooapis.com/v1/public/yql', @@ -383,8 +383,8 @@ function exportToHTML(view) { $(value).attr('src', 'https://www.tortue.me/emoji/' + name + '.png'); }); //replace video to iframe - src.find("div[videoid]").each(function (key, value) { - var id = $(value).attr('videoid'); + src.find("div[data-videoid]").each(function (key, value) { + var id = $(value).attr('data-videoid'); var style = $(value).attr('style'); var url = null; if ($(value).hasClass('youtube')) { @@ -534,9 +534,9 @@ function smoothHashScroll() { } function imgPlayiframe(element, src) { - if (!$(element).attr("videoid")) return; + if (!$(element).attr("data-videoid")) return; var iframe = $("<iframe frameborder='0' webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>"); - $(iframe).attr("src", src + $(element).attr("videoid") + '?autoplay=1'); + $(iframe).attr("src", src + $(element).attr("data-videoid") + '?autoplay=1'); $(element).find('img').css('visibility', 'hidden'); $(element).append(iframe); } @@ -730,7 +730,7 @@ var youtubePlugin = new Plugin( var videoid = match[1]; if (!videoid) return; var div = $('<div class="youtube raw"></div>'); - div.attr('videoid', videoid); + div.attr('data-videoid', videoid); var thumbnail_src = '//img.youtube.com/vi/' + videoid + '/hqdefault.jpg'; var image = '<img src="' + thumbnail_src + '" />'; div.append(image); @@ -749,7 +749,7 @@ var vimeoPlugin = new Plugin( var videoid = match[1]; if (!videoid) return; var div = $('<div class="vimeo raw"></div>'); - div.attr('videoid', videoid); + div.attr('data-videoid', videoid); var icon = '<i class="icon fa fa-vimeo-square fa-5x"></i>'; div.append(icon); return div[0].outerHTML; @@ -799,7 +799,7 @@ var slidesharePlugin = new Plugin( function (match, utils) { var slideshareid = match[1]; var div = $('<div class="slideshare raw"></div>'); - div.attr('slideshareid', slideshareid); + div.attr('data-slideshareid', slideshareid); return div[0].outerHTML; } ); @@ -812,7 +812,7 @@ var speakerdeckPlugin = new Plugin( function (match, utils) { var speakerdeckid = match[1]; var div = $('<div class="speakerdeck raw"></div>'); - div.attr('speakerdeckid', speakerdeckid); + div.attr('data-speakerdeckid', speakerdeckid); return div[0].outerHTML; } ); diff --git a/public/js/index.js b/public/js/index.js index 1150f7ae..2e797ac3 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2132,11 +2132,12 @@ var lastResult = null; function updateViewInner() { if (currentMode == modeType.edit || !isDirty) return; var value = editor.getValue(); - value = filterXSS(value); // prevent xss md.meta = {}; md.render(value); //only for get meta parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix')); - var result = postProcess(md.render(value)).children().toArray(); + var rendered = md.render(value); + rendered = preventXSS(rendered); + var result = postProcess(rendered).children().toArray(); partialUpdate(result, lastResult, ui.area.markdown.children().toArray()); if (result && lastResult && result.length != lastResult.length) updateDataAttrs(result, ui.area.markdown.children().toArray()); diff --git a/public/js/pretty.js b/public/js/pretty.js index 43e833c2..a38dc244 100644 --- a/public/js/pretty.js +++ b/public/js/pretty.js @@ -3,7 +3,9 @@ var text = $('<textarea/>').html(markdown.html()).text(); md.meta = {}; md.render(text); //only for get meta parseMeta(md, markdown, $('#toc'), $('#toc-affix')); -var result = postProcess(md.render(text)); +var rendered = md.render(text); +rendered = preventXSS(rendered); +var result = postProcess(rendered); markdown.html(result.html()); $(document.body).show(); finishView(markdown); diff --git a/public/js/render.js b/public/js/render.js new file mode 100644 index 00000000..1abb68c5 --- /dev/null +++ b/public/js/render.js @@ -0,0 +1,13 @@ +function preventXSS(html) { + var options = { + allowCommentTag: true, + onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { + // allow attr start with 'data-' or equal 'id' and 'class' + if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') { + // escape its value using built-in escapeAttrValue function + return name + '="' + filterXSS.escapeAttrValue(value) + '"'; + } + } + }; + return filterXSS(html, options); +}
\ No newline at end of file diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js new file mode 100755 index 00000000..a3f2505a --- /dev/null +++ b/public/js/reveal-markdown.js @@ -0,0 +1,405 @@ +/** + * The reveal.js markdown plugin. Handles parsing of + * markdown inside of presentations as well as loading + * of external markdown documents. + */ +(function( root, factory ) { + if( typeof exports === 'object' ) { + module.exports = factory( require( './marked' ) ); + } + else { + // Browser globals (root is window) + root.RevealMarkdown = factory( root.marked ); + root.RevealMarkdown.initialize(); + } +}( this, function( marked ) { + + if( typeof marked === 'undefined' ) { + throw 'The reveal.js Markdown plugin requires marked to be loaded'; + } + + if( typeof hljs !== 'undefined' ) { + marked.setOptions({ + highlight: function( lang, code ) { + return hljs.highlightAuto( lang, code ).value; + } + }); + } + + var DEFAULT_SLIDE_SEPARATOR = '^\r?\n---\r?\n$', + DEFAULT_NOTES_SEPARATOR = 'note:', + DEFAULT_ELEMENT_ATTRIBUTES_SEPARATOR = '\\\.element\\\s*?(.+?)$', + DEFAULT_SLIDE_ATTRIBUTES_SEPARATOR = '\\\.slide:\\\s*?(\\\S.+?)$'; + + var SCRIPT_END_PLACEHOLDER = '__SCRIPT_END__'; + + + /** + * Retrieves the markdown contents of a slide section + * element. Normalizes leading tabs/whitespace. + */ + function getMarkdownFromSlide( section ) { + + var template = section.querySelector( 'script' ); + + // strip leading whitespace so it isn't evaluated as code + var text = ( template || section ).textContent; + + // restore script end tags + text = text.replace( new RegExp( SCRIPT_END_PLACEHOLDER, 'g' ), '</script>' ); + + var leadingWs = text.match( /^\n?(\s*)/ )[1].length, + leadingTabs = text.match( /^\n?(\t*)/ )[1].length; + + if( leadingTabs > 0 ) { + text = text.replace( new RegExp('\\n?\\t{' + leadingTabs + '}','g'), '\n' ); + } + else if( leadingWs > 1 ) { + text = text.replace( new RegExp('\\n? {' + leadingWs + '}', 'g'), '\n' ); + } + + return text; + + } + + /** + * Given a markdown slide section element, this will + * return all arguments that aren't related to markdown + * parsing. Used to forward any other user-defined arguments + * to the output markdown slide. + */ + function getForwardedAttributes( section ) { + + var attributes = section.attributes; + var result = []; + + for( var i = 0, len = attributes.length; i < len; i++ ) { + var name = attributes[i].name, + value = attributes[i].value; + + // disregard attributes that are used for markdown loading/parsing + if( /data\-(markdown|separator|vertical|notes)/gi.test( name ) ) continue; + + if( value ) { + result.push( name + '="' + value + '"' ); + } + else { + result.push( name ); + } + } + + return result.join( ' ' ); + + } + + /** + * Inspects the given options and fills out default + * values for what's not defined. + */ + function getSlidifyOptions( options ) { + + options = options || {}; + options.separator = options.separator || DEFAULT_SLIDE_SEPARATOR; + options.notesSeparator = options.notesSeparator || DEFAULT_NOTES_SEPARATOR; + options.attributes = options.attributes || ''; + + return options; + + } + + /** + * Helper function for constructing a markdown slide. + */ + function createMarkdownSlide( content, options ) { + + options = getSlidifyOptions( options ); + + var notesMatch = content.split( new RegExp( options.notesSeparator, 'mgi' ) ); + + if( notesMatch.length === 2 ) { + content = notesMatch[0] + '<aside class="notes" data-markdown>' + notesMatch[1].trim() + '</aside>'; + } + + // prevent script end tags in the content from interfering + // with parsing + content = content.replace( /<\/script>/g, SCRIPT_END_PLACEHOLDER ); + + return '<script type="text/template">' + content + '</script>'; + + } + + /** + * Parses a data string into multiple slides based + * on the passed in separator arguments. + */ + function slidify( markdown, options ) { + + options = getSlidifyOptions( options ); + + var separatorRegex = new RegExp( options.separator + ( options.verticalSeparator ? '|' + options.verticalSeparator : '' ), 'mg' ), + horizontalSeparatorRegex = new RegExp( options.separator ); + + var matches, + lastIndex = 0, + isHorizontal, + wasHorizontal = true, + content, + sectionStack = []; + + // iterate until all blocks between separators are stacked up + while( matches = separatorRegex.exec( markdown ) ) { + notes = null; + + // determine direction (horizontal by default) + isHorizontal = horizontalSeparatorRegex.test( matches[0] ); + + if( !isHorizontal && wasHorizontal ) { + // create vertical stack + sectionStack.push( [] ); + } + + // pluck slide content from markdown input + content = markdown.substring( lastIndex, matches.index ); + + if( isHorizontal && wasHorizontal ) { + // add to horizontal stack + sectionStack.push( content ); + } + else { + // add to vertical stack + sectionStack[sectionStack.length-1].push( content ); + } + + lastIndex = separatorRegex.lastIndex; + wasHorizontal = isHorizontal; + } + + // add the remaining slide + ( wasHorizontal ? sectionStack : sectionStack[sectionStack.length-1] ).push( markdown.substring( lastIndex ) ); + + var markdownSections = ''; + + // flatten the hierarchical stack, and insert <section data-markdown> tags + for( var i = 0, len = sectionStack.length; i < len; i++ ) { + // vertical + if( sectionStack[i] instanceof Array ) { + markdownSections += '<section '+ options.attributes +'>'; + + sectionStack[i].forEach( function( child ) { + markdownSections += '<section data-markdown>' + createMarkdownSlide( child, options ) + '</section>'; + } ); + + markdownSections += '</section>'; + } + else { + markdownSections += '<section '+ options.attributes +' data-markdown>' + createMarkdownSlide( sectionStack[i], options ) + '</section>'; + } + } + + return markdownSections; + + } + + /** + * Parses any current data-markdown slides, splits + * multi-slide markdown into separate sections and + * handles loading of external markdown. + */ + function processSlides() { + + var sections = document.querySelectorAll( '[data-markdown]'), + section; + + for( var i = 0, len = sections.length; i < len; i++ ) { + + section = sections[i]; + + if( section.getAttribute( 'data-markdown' ).length ) { + + var xhr = new XMLHttpRequest(), + url = section.getAttribute( 'data-markdown' ); + + datacharset = section.getAttribute( 'data-charset' ); + + // see https://developer.mozilla.org/en-US/docs/Web/API/element.getAttribute#Notes + if( datacharset != null && datacharset != '' ) { + xhr.overrideMimeType( 'text/html; charset=' + datacharset ); + } + + xhr.onreadystatechange = function() { + if( xhr.readyState === 4 ) { + // file protocol yields status code 0 (useful for local debug, mobile applications etc.) + if ( ( xhr.status >= 200 && xhr.status < 300 ) || xhr.status === 0 ) { + + section.outerHTML = slidify( xhr.responseText, { + separator: section.getAttribute( 'data-separator' ), + verticalSeparator: section.getAttribute( 'data-separator-vertical' ), + notesSeparator: section.getAttribute( 'data-separator-notes' ), + attributes: getForwardedAttributes( section ) + }); + + } + else { + + section.outerHTML = '<section data-state="alert">' + + 'ERROR: The attempt to fetch ' + url + ' failed with HTTP status ' + xhr.status + '.' + + 'Check your browser\'s JavaScript console for more details.' + + '<p>Remember that you need to serve the presentation HTML from a HTTP server.</p>' + + '</section>'; + + } + } + }; + + xhr.open( 'GET', url, false ); + + try { + xhr.send(); + } + catch ( e ) { + alert( 'Failed to get the Markdown file ' + url + '. Make sure that the presentation and the file are served by a HTTP server and the file can be found there. ' + e ); + } + + } + else if( section.getAttribute( 'data-separator' ) || section.getAttribute( 'data-separator-vertical' ) || section.getAttribute( 'data-separator-notes' ) ) { + + section.outerHTML = slidify( getMarkdownFromSlide( section ), { + separator: section.getAttribute( 'data-separator' ), + verticalSeparator: section.getAttribute( 'data-separator-vertical' ), + notesSeparator: section.getAttribute( 'data-separator-notes' ), + attributes: getForwardedAttributes( section ) + }); + + } + else { + section.innerHTML = createMarkdownSlide( getMarkdownFromSlide( section ) ); + } + } + + } + + /** + * Check if a node value has the attributes pattern. + * If yes, extract it and add that value as one or several attributes + * the the terget element. + * + * You need Cache Killer on Chrome to see the effect on any FOM transformation + * directly on refresh (F5) + * http://stackoverflow.com/questions/5690269/disabling-chrome-cache-for-website-development/7000899#answer-11786277 + */ + function addAttributeInElement( node, elementTarget, separator ) { + + var mardownClassesInElementsRegex = new RegExp( separator, 'mg' ); + var mardownClassRegex = new RegExp( "([^\"= ]+?)=\"([^\"=]+?)\"", 'mg' ); + var nodeValue = node.nodeValue; + if( matches = mardownClassesInElementsRegex.exec( nodeValue ) ) { + + var classes = matches[1]; + nodeValue = nodeValue.substring( 0, matches.index ) + nodeValue.substring( mardownClassesInElementsRegex.lastIndex ); + node.nodeValue = nodeValue; + while( matchesClass = mardownClassRegex.exec( classes ) ) { + elementTarget.setAttribute( matchesClass[1], matchesClass[2] ); + } + return true; + } + return false; + } + + /** + * Add attributes to the parent element of a text node, + * or the element of an attribute node. + */ + function addAttributes( section, element, previousElement, separatorElementAttributes, separatorSectionAttributes ) { + + if ( element != null && element.childNodes != undefined && element.childNodes.length > 0 ) { + previousParentElement = element; + for( var i = 0; i < element.childNodes.length; i++ ) { + childElement = element.childNodes[i]; + if ( i > 0 ) { + j = i - 1; + while ( j >= 0 ) { + aPreviousChildElement = element.childNodes[j]; + if ( typeof aPreviousChildElement.setAttribute == 'function' && aPreviousChildElement.tagName != "BR" ) { + previousParentElement = aPreviousChildElement; + break; + } + j = j - 1; + } + } + parentSection = section; + if( childElement.nodeName == "section" ) { + parentSection = childElement ; + previousParentElement = childElement ; + } + if ( typeof childElement.setAttribute == 'function' || childElement.nodeType == Node.COMMENT_NODE ) { + addAttributes( parentSection, childElement, previousParentElement, separatorElementAttributes, separatorSectionAttributes ); + } + } + } + + if ( element.nodeType == Node.COMMENT_NODE ) { + if ( addAttributeInElement( element, previousElement, separatorElementAttributes ) == false ) { + addAttributeInElement( element, section, separatorSectionAttributes ); + } + } + } + + /** + * Converts any current data-markdown slides in the + * DOM to HTML. + */ + function convertSlides() { + + var sections = document.querySelectorAll( '[data-markdown]'); + + for( var i = 0, len = sections.length; i < len; i++ ) { + + var section = sections[i]; + + // Only parse the same slide once + if( !section.getAttribute( 'data-markdown-parsed' ) ) { + + section.setAttribute( 'data-markdown-parsed', true ) + + var notes = section.querySelector( 'aside.notes' ); + var markdown = getMarkdownFromSlide( section ); + + var rendered = marked( markdown ); + rendered = preventXSS(rendered); + + section.innerHTML = rendered; + addAttributes( section, section, null, section.getAttribute( 'data-element-attributes' ) || + section.parentNode.getAttribute( 'data-element-attributes' ) || + DEFAULT_ELEMENT_ATTRIBUTES_SEPARATOR, + section.getAttribute( 'data-attributes' ) || + section.parentNode.getAttribute( 'data-attributes' ) || + DEFAULT_SLIDE_ATTRIBUTES_SEPARATOR); + + // If there were notes, we need to re-add them after + // having overwritten the section's HTML + if( notes ) { + section.appendChild( notes ); + } + + } + + } + + } + + // API + return { + + initialize: function() { + processSlides(); + convertSlides(); + }, + + // TODO: Do these belong in the API? + processSlides: processSlides, + convertSlides: convertSlides, + slidify: slidify + + }; + +})); diff --git a/public/views/foot.ejs b/public/views/foot.ejs index 3a5ef145..dfb07ece 100644 --- a/public/views/foot.ejs +++ b/public/views/foot.ejs @@ -60,6 +60,7 @@ <script type="text/javascript" src="//cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" defer></script> <script src="/js/common.js" defer></script> <script src="/js/extra.js" defer></script> +<script src="/js/render.js" defer></script> <script src="/js/history.js" defer></script> <script src="/js/index.js" defer></script> <script src="/js/syncscroll.js" defer></script>
\ No newline at end of file diff --git a/public/views/pretty.ejs b/public/views/pretty.ejs index 07b0f7b2..998b2ef7 100644 --- a/public/views/pretty.ejs +++ b/public/views/pretty.ejs @@ -76,6 +76,7 @@ <script src="<%- url %>/vendor/js-yaml/dist/js-yaml.min.js" defer></script> <% } %> <script src="<%- url %>/vendor/lz-string/libs/lz-string.min.js" defer></script> +<script src="<%- url %>/vendor/xss/dist/xss.min.js" defer></script> <script src="<%- url %>/vendor/remarkable.min.js" defer></script> <script src="<%- url %>/vendor/remarkable-regex.js" defer></script> <script src="<%- url %>/vendor/gist-embed.js" defer></script> @@ -94,4 +95,5 @@ </script> <script type="text/javascript" src="//cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" defer></script> <script src="<%- url %>/js/extra.js" defer></script> +<script src="<%- url %>/js/render.js" defer></script> <script src="<%- url %>/js/pretty.js" defer></script>
\ No newline at end of file diff --git a/public/views/slide/reveal.hbs b/public/views/slide/reveal.hbs index fd19f23c..fd87ddb3 100644 --- a/public/views/slide/reveal.hbs +++ b/public/views/slide/reveal.hbs @@ -31,6 +31,8 @@ <script src="/vendor/reveal.js/lib/js/head.min.js"></script> <script src="/vendor/reveal.js/js/reveal.js"></script> <script src="/vendor/string.min.js"></script> + <script src="/vendor/xss/dist/xss.min.js"></script> + <script src="/js/render.js"></script> <script> var body = $(".slides").html(); @@ -53,7 +55,7 @@ var deps = [ { src: '/vendor/reveal.js/lib/js/classList.js', condition: function() { return !document.body.classList; } }, { src: '/vendor/reveal.js/plugin/markdown/marked.js', condition: function() { return !!document.querySelector('[data-markdown]'); } }, - { src: '/vendor/reveal.js/plugin/markdown/markdown.js', condition: function() { return !!document.querySelector('[data-markdown]'); } }, + { src: '/js/reveal-markdown.js', condition: function() { return !!document.querySelector('[data-markdown]'); } }, { src: '/vendor/reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }, { src: '/vendor/reveal.js/plugin/notes/notes.js', async: true, condition: function() { return !!document.body.classList; } }, { src: '/vendor/reveal.js/plugin/math/math.js', async: true } |