summaryrefslogtreecommitdiff
path: root/public
diff options
context:
space:
mode:
authorWu Cheng-Han2017-10-05 10:17:26 +0800
committerWu Cheng-Han2017-10-05 10:17:26 +0800
commitd96385eafdc8e9c408088a3f95a60c9a0193ef67 (patch)
treefda9fe8802e34ae2aa8b72c021a4198b4c6eb642 /public
parentb0b417cefcc91b2c14f48d4b0b41008d1e12754c (diff)
Fix to filter @import CSS syntax in style tag to prevent XSS [Security Issue]
Diffstat (limited to 'public')
-rw-r--r--public/js/extra.js13
1 files changed, 9 insertions, 4 deletions
diff --git a/public/js/extra.js b/public/js/extra.js
index b23d732f..a1a9dbb6 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -552,10 +552,6 @@ export function finishView (view) {
} catch (err) {
console.warn(err)
}
- // unescape > symbel inside the style tags
- view.find('style').each((key, value) => {
- $(value).html($(value).html().replace(/>/g, '>'))
- })
// render title
document.title = renderTitle(view)
}
@@ -563,6 +559,15 @@ export function finishView (view) {
// only static transform should be here
export function postProcess (code) {
const result = $(`<div>${code}</div>`)
+ // process style tags
+ result.find('style').each((key, value) => {
+ let html = $(value).html()
+ // unescape > symbel inside the style tags
+ html = html.replace(/&gt;/g, '>')
+ // remove css @import to prevent XSS
+ html = html.replace(/@import url\(([^)]*)\);?/gi, '')
+ $(value).html(html)
+ })
// link should open in new window or tab
result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
// update continue line numbers