From 4c4a0e0f3fe9b4e33f2182f3f8e20d87736b371d Mon Sep 17 00:00:00 2001 From: Cheng-Han, Wu Date: Thu, 11 Feb 2016 03:45:13 -0600 Subject: Fixed prevent XSS might break lots of tags and only need after rendered --- lib/response.js | 3 - package.json | 3 +- public/js/extra.js | 22 +-- public/js/index.js | 5 +- public/js/pretty.js | 4 +- public/js/render.js | 13 ++ public/js/reveal-markdown.js | 405 ++++++++++++++++++++++++++++++++++++++++++ public/views/foot.ejs | 1 + public/views/pretty.ejs | 2 + public/views/slide/reveal.hbs | 4 +- 10 files changed, 442 insertions(+), 20 deletions(-) create mode 100644 public/js/render.js create mode 100755 public/js/reveal-markdown.js diff --git a/lib/response.js b/lib/response.js index c12c4caa..07cb5ba9 100644 --- a/lib/response.js +++ b/lib/response.js @@ -11,7 +11,6 @@ var shortId = require('shortid'); var metaMarked = require('meta-marked'); var querystring = require('querystring'); var request = require('request'); -var xss = require('xss'); //core var config = require("../config.js"); @@ -228,7 +227,6 @@ function showPublishNote(req, res, next) { //na } var updatetime = notedata.update_time; - body = xss(body); // prevent xss var text = S(body).escapeHTML().s; var title = notedata.title; var decodedTitle = LZString.decompressFromBase64(title); @@ -612,7 +610,6 @@ function showPublishSlide(req, res, next) { var decodedTitle = LZString.decompressFromBase64(title); if (decodedTitle) title = decodedTitle; title = Note.generateWebTitle(title); - body = xss(body); // prevent xss var text = S(body).escapeHTML().s; render(res, title, text); }); diff --git a/package.json b/package.json index d96fabc7..4d701966 100644 --- a/package.json +++ b/package.json @@ -49,8 +49,7 @@ "socket.io": "1.4.4", "string": "^3.3.1", "toobusy-js": "^0.4.2", - "winston": "^2.1.1", - "xss": "^0.2.10" + "winston": "^2.1.1" }, "engines": { "node": ">=4.x" diff --git a/public/js/extra.js b/public/js/extra.js index 2c9c9037..a2ae83f6 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -180,7 +180,7 @@ function finishView(view) { .each(function (key, value) { $.ajax({ type: 'GET', - url: '//vimeo.com/api/v2/video/' + $(value).attr('videoid') + '.json', + url: '//vimeo.com/api/v2/video/' + $(value).attr('data-videoid') + '.json', jsonp: 'callback', dataType: 'jsonp', success: function (data) { @@ -285,7 +285,7 @@ function finishView(view) { .each(function (key, value) { $.ajax({ type: 'GET', - url: '//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/' + $(value).attr('slideshareid') + '&format=json', + url: '//www.slideshare.net/api/oembed/2?url=http://www.slideshare.net/' + $(value).attr('data-slideshareid') + '&format=json', jsonp: 'callback', dataType: 'jsonp', success: function (data) { @@ -304,7 +304,7 @@ function finishView(view) { //speakerdeck view.find(".speakerdeck.raw").removeClass("raw") .each(function (key, value) { - var url = 'https://speakerdeck.com/oembed.json?url=https%3A%2F%2Fspeakerdeck.com%2F' + encodeURIComponent($(value).attr('speakerdeckid')); + var url = 'https://speakerdeck.com/oembed.json?url=https%3A%2F%2Fspeakerdeck.com%2F' + encodeURIComponent($(value).attr('data-speakerdeckid')); //use yql because speakerdeck not support jsonp $.ajax({ url: 'https://query.yahooapis.com/v1/public/yql', @@ -383,8 +383,8 @@ function exportToHTML(view) { $(value).attr('src', 'https://www.tortue.me/emoji/' + name + '.png'); }); //replace video to iframe - src.find("div[videoid]").each(function (key, value) { - var id = $(value).attr('videoid'); + src.find("div[data-videoid]").each(function (key, value) { + var id = $(value).attr('data-videoid'); var style = $(value).attr('style'); var url = null; if ($(value).hasClass('youtube')) { @@ -534,9 +534,9 @@ function smoothHashScroll() { } function imgPlayiframe(element, src) { - if (!$(element).attr("videoid")) return; + if (!$(element).attr("data-videoid")) return; var iframe = $(""); - $(iframe).attr("src", src + $(element).attr("videoid") + '?autoplay=1'); + $(iframe).attr("src", src + $(element).attr("data-videoid") + '?autoplay=1'); $(element).find('img').css('visibility', 'hidden'); $(element).append(iframe); } @@ -730,7 +730,7 @@ var youtubePlugin = new Plugin( var videoid = match[1]; if (!videoid) return; var div = $('
'); - div.attr('videoid', videoid); + div.attr('data-videoid', videoid); var thumbnail_src = '//img.youtube.com/vi/' + videoid + '/hqdefault.jpg'; var image = ''; div.append(image); @@ -749,7 +749,7 @@ var vimeoPlugin = new Plugin( var videoid = match[1]; if (!videoid) return; var div = $(''); - div.attr('videoid', videoid); + div.attr('data-videoid', videoid); var icon = ''; div.append(icon); return div[0].outerHTML; @@ -799,7 +799,7 @@ var slidesharePlugin = new Plugin( function (match, utils) { var slideshareid = match[1]; var div = $(''); - div.attr('slideshareid', slideshareid); + div.attr('data-slideshareid', slideshareid); return div[0].outerHTML; } ); @@ -812,7 +812,7 @@ var speakerdeckPlugin = new Plugin( function (match, utils) { var speakerdeckid = match[1]; var div = $(''); - div.attr('speakerdeckid', speakerdeckid); + div.attr('data-speakerdeckid', speakerdeckid); return div[0].outerHTML; } ); diff --git a/public/js/index.js b/public/js/index.js index 1150f7ae..2e797ac3 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -2132,11 +2132,12 @@ var lastResult = null; function updateViewInner() { if (currentMode == modeType.edit || !isDirty) return; var value = editor.getValue(); - value = filterXSS(value); // prevent xss md.meta = {}; md.render(value); //only for get meta parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix')); - var result = postProcess(md.render(value)).children().toArray(); + var rendered = md.render(value); + rendered = preventXSS(rendered); + var result = postProcess(rendered).children().toArray(); partialUpdate(result, lastResult, ui.area.markdown.children().toArray()); if (result && lastResult && result.length != lastResult.length) updateDataAttrs(result, ui.area.markdown.children().toArray()); diff --git a/public/js/pretty.js b/public/js/pretty.js index 43e833c2..a38dc244 100644 --- a/public/js/pretty.js +++ b/public/js/pretty.js @@ -3,7 +3,9 @@ var text = $('').html(markdown.html()).text(); md.meta = {}; md.render(text); //only for get meta parseMeta(md, markdown, $('#toc'), $('#toc-affix')); -var result = postProcess(md.render(text)); +var rendered = md.render(text); +rendered = preventXSS(rendered); +var result = postProcess(rendered); markdown.html(result.html()); $(document.body).show(); finishView(markdown); diff --git a/public/js/render.js b/public/js/render.js new file mode 100644 index 00000000..1abb68c5 --- /dev/null +++ b/public/js/render.js @@ -0,0 +1,13 @@ +function preventXSS(html) { + var options = { + allowCommentTag: true, + onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { + // allow attr start with 'data-' or equal 'id' and 'class' + if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') { + // escape its value using built-in escapeAttrValue function + return name + '="' + filterXSS.escapeAttrValue(value) + '"'; + } + } + }; + return filterXSS(html, options); +} \ No newline at end of file diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js new file mode 100755 index 00000000..a3f2505a --- /dev/null +++ b/public/js/reveal-markdown.js @@ -0,0 +1,405 @@ +/** + * The reveal.js markdown plugin. Handles parsing of + * markdown inside of presentations as well as loading + * of external markdown documents. + */ +(function( root, factory ) { + if( typeof exports === 'object' ) { + module.exports = factory( require( './marked' ) ); + } + else { + // Browser globals (root is window) + root.RevealMarkdown = factory( root.marked ); + root.RevealMarkdown.initialize(); + } +}( this, function( marked ) { + + if( typeof marked === 'undefined' ) { + throw 'The reveal.js Markdown plugin requires marked to be loaded'; + } + + if( typeof hljs !== 'undefined' ) { + marked.setOptions({ + highlight: function( lang, code ) { + return hljs.highlightAuto( lang, code ).value; + } + }); + } + + var DEFAULT_SLIDE_SEPARATOR = '^\r?\n---\r?\n$', + DEFAULT_NOTES_SEPARATOR = 'note:', + DEFAULT_ELEMENT_ATTRIBUTES_SEPARATOR = '\\\.element\\\s*?(.+?)$', + DEFAULT_SLIDE_ATTRIBUTES_SEPARATOR = '\\\.slide:\\\s*?(\\\S.+?)$'; + + var SCRIPT_END_PLACEHOLDER = '__SCRIPT_END__'; + + + /** + * Retrieves the markdown contents of a slide section + * element. Normalizes leading tabs/whitespace. + */ + function getMarkdownFromSlide( section ) { + + var template = section.querySelector( 'script' ); + + // strip leading whitespace so it isn't evaluated as code + var text = ( template || section ).textContent; + + // restore script end tags + text = text.replace( new RegExp( SCRIPT_END_PLACEHOLDER, 'g' ), '' ); + + var leadingWs = text.match( /^\n?(\s*)/ )[1].length, + leadingTabs = text.match( /^\n?(\t*)/ )[1].length; + + if( leadingTabs > 0 ) { + text = text.replace( new RegExp('\\n?\\t{' + leadingTabs + '}','g'), '\n' ); + } + else if( leadingWs > 1 ) { + text = text.replace( new RegExp('\\n? {' + leadingWs + '}', 'g'), '\n' ); + } + + return text; + + } + + /** + * Given a markdown slide section element, this will + * return all arguments that aren't related to markdown + * parsing. Used to forward any other user-defined arguments + * to the output markdown slide. + */ + function getForwardedAttributes( section ) { + + var attributes = section.attributes; + var result = []; + + for( var i = 0, len = attributes.length; i < len; i++ ) { + var name = attributes[i].name, + value = attributes[i].value; + + // disregard attributes that are used for markdown loading/parsing + if( /data\-(markdown|separator|vertical|notes)/gi.test( name ) ) continue; + + if( value ) { + result.push( name + '="' + value + '"' ); + } + else { + result.push( name ); + } + } + + return result.join( ' ' ); + + } + + /** + * Inspects the given options and fills out default + * values for what's not defined. + */ + function getSlidifyOptions( options ) { + + options = options || {}; + options.separator = options.separator || DEFAULT_SLIDE_SEPARATOR; + options.notesSeparator = options.notesSeparator || DEFAULT_NOTES_SEPARATOR; + options.attributes = options.attributes || ''; + + return options; + + } + + /** + * Helper function for constructing a markdown slide. + */ + function createMarkdownSlide( content, options ) { + + options = getSlidifyOptions( options ); + + var notesMatch = content.split( new RegExp( options.notesSeparator, 'mgi' ) ); + + if( notesMatch.length === 2 ) { + content = notesMatch[0] + ''; + } + + // prevent script end tags in the content from interfering + // with parsing + content = content.replace( /<\/script>/g, SCRIPT_END_PLACEHOLDER ); + + return ''; + + } + + /** + * Parses a data string into multiple slides based + * on the passed in separator arguments. + */ + function slidify( markdown, options ) { + + options = getSlidifyOptions( options ); + + var separatorRegex = new RegExp( options.separator + ( options.verticalSeparator ? '|' + options.verticalSeparator : '' ), 'mg' ), + horizontalSeparatorRegex = new RegExp( options.separator ); + + var matches, + lastIndex = 0, + isHorizontal, + wasHorizontal = true, + content, + sectionStack = []; + + // iterate until all blocks between separators are stacked up + while( matches = separatorRegex.exec( markdown ) ) { + notes = null; + + // determine direction (horizontal by default) + isHorizontal = horizontalSeparatorRegex.test( matches[0] ); + + if( !isHorizontal && wasHorizontal ) { + // create vertical stack + sectionStack.push( [] ); + } + + // pluck slide content from markdown input + content = markdown.substring( lastIndex, matches.index ); + + if( isHorizontal && wasHorizontal ) { + // add to horizontal stack + sectionStack.push( content ); + } + else { + // add to vertical stack + sectionStack[sectionStack.length-1].push( content ); + } + + lastIndex = separatorRegex.lastIndex; + wasHorizontal = isHorizontal; + } + + // add the remaining slide + ( wasHorizontal ? sectionStack : sectionStack[sectionStack.length-1] ).push( markdown.substring( lastIndex ) ); + + var markdownSections = ''; + + // flatten the hierarchical stack, and insertRemember that you need to serve the presentation HTML from a HTTP server.
' + + '