From 5bc642d02e8955b200bb21cf30e863fdf0c53765 Mon Sep 17 00:00:00 2001 From: BoHong Li Date: Thu, 9 Mar 2017 02:41:05 +0800 Subject: Use JavaScript Standard Style (part 2) Fixed all fail on frontend code. --- public/js/render.js | 76 +++++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 37 deletions(-) (limited to 'public/js/render.js') diff --git a/public/js/render.js b/public/js/render.js index 5d6d0aa2..61663a4b 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -1,62 +1,64 @@ +/* eslint-env browser, jquery */ +/* global filterXSS */ // allow some attributes -var whiteListAttr = ['id', 'class', 'style']; -window.whiteListAttr = whiteListAttr; +var whiteListAttr = ['id', 'class', 'style'] +window.whiteListAttr = whiteListAttr // allow link starts with '.', '/' and custom protocol with '://' -var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/; +var linkRegex = /^([\w|-]+:\/\/)|^([.|/])+/ // allow data uri, from https://gist.github.com/bgrins/6194623 -var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i; +var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i // custom white list -var whiteList = filterXSS.whiteList; +var whiteList = filterXSS.whiteList // allow ol specify start number -whiteList['ol'] = ['start']; +whiteList['ol'] = ['start'] // allow li specify value number -whiteList['li'] = ['value']; +whiteList['li'] = ['value'] // allow style tag -whiteList['style'] = []; +whiteList['style'] = [] // allow kbd tag -whiteList['kbd'] = []; +whiteList['kbd'] = [] // allow ifram tag with some safe attributes -whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height']; +whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'] // allow summary tag -whiteList['summary'] = []; +whiteList['summary'] = [] var filterXSSOptions = { - allowCommentTag: true, - whiteList: whiteList, - escapeHtml: function (html) { + allowCommentTag: true, + whiteList: whiteList, + escapeHtml: function (html) { // allow html comment in multiple lines - return html.replace(/<(.*?)>/g, '<$1>'); - }, - onIgnoreTag: function (tag, html, options) { + return html.replace(/<(.*?)>/g, '<$1>') + }, + onIgnoreTag: function (tag, html, options) { // allow comment tag - if (tag == "!--") { + if (tag === '!--') { // do not filter its attributes - return html; - } - }, - onTagAttr: function (tag, name, value, isWhiteAttr) { + return html + } + }, + onTagAttr: function (tag, name, value, isWhiteAttr) { // allow href and src that match linkRegex - if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) { - return name + '="' + filterXSS.escapeAttrValue(value) + '"'; - } + if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) { + return name + '="' + filterXSS.escapeAttrValue(value) + '"' + } // allow data uri in img src - if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) { - return name + '="' + filterXSS.escapeAttrValue(value) + '"'; - } - }, - onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { + if (isWhiteAttr && (tag === 'img' && name === 'src') && dataUriRegex.test(value)) { + return name + '="' + filterXSS.escapeAttrValue(value) + '"' + } + }, + onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { // allow attr start with 'data-' or in the whiteListAttr - if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) { + if (name.substr(0, 5) === 'data-' || window.whiteListAttr.indexOf(name) !== -1) { // escape its value using built-in escapeAttrValue function - return name + '="' + filterXSS.escapeAttrValue(value) + '"'; - } + return name + '="' + filterXSS.escapeAttrValue(value) + '"' } -}; + } +} -function preventXSS(html) { - return filterXSS(html, filterXSSOptions); +function preventXSS (html) { + return filterXSS(html, filterXSSOptions) } -window.preventXSS = preventXSS; +window.preventXSS = preventXSS module.exports = { preventXSS: preventXSS -- cgit v1.2.3