diff options
author | Wu Cheng-Han | 2017-10-05 10:17:26 +0800 |
---|---|---|
committer | Wu Cheng-Han | 2017-10-05 10:17:26 +0800 |
commit | d96385eafdc8e9c408088a3f95a60c9a0193ef67 (patch) | |
tree | fda9fe8802e34ae2aa8b72c021a4198b4c6eb642 /public | |
parent | b0b417cefcc91b2c14f48d4b0b41008d1e12754c (diff) |
Fix to filter @import CSS syntax in style tag to prevent XSS [Security Issue]
Diffstat (limited to 'public')
-rw-r--r-- | public/js/extra.js | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/public/js/extra.js b/public/js/extra.js index b23d732f..a1a9dbb6 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -552,10 +552,6 @@ export function finishView (view) { } catch (err) { console.warn(err) } - // unescape > symbel inside the style tags - view.find('style').each((key, value) => { - $(value).html($(value).html().replace(/>/g, '>')) - }) // render title document.title = renderTitle(view) } @@ -563,6 +559,15 @@ export function finishView (view) { // only static transform should be here export function postProcess (code) { const result = $(`<div>${code}</div>`) + // process style tags + result.find('style').each((key, value) => { + let html = $(value).html() + // unescape > symbel inside the style tags + html = html.replace(/>/g, '>') + // remove css @import to prevent XSS + html = html.replace(/@import url\(([^)]*)\);?/gi, '') + $(value).html(html) + }) // link should open in new window or tab result.find('a:not([href^="#"]):not([target])').attr('target', '_blank') // update continue line numbers |