From d96385eafdc8e9c408088a3f95a60c9a0193ef67 Mon Sep 17 00:00:00 2001
From: Wu Cheng-Han
Date: Thu, 5 Oct 2017 10:17:26 +0800
Subject: Fix to filter @import CSS syntax in style tag to prevent XSS
 [Security Issue]

---
 public/js/extra.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'public')

diff --git a/public/js/extra.js b/public/js/extra.js
index b23d732f..a1a9dbb6 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -552,10 +552,6 @@ export function finishView (view) {
   } catch (err) {
     console.warn(err)
   }
-  // unescape > symbel inside the style tags
-  view.find('style').each((key, value) => {
-    $(value).html($(value).html().replace(/>/g, '>'))
-  })
     // render title
   document.title = renderTitle(view)
 }
@@ -563,6 +559,15 @@ export function finishView (view) {
 // only static transform should be here
 export function postProcess (code) {
   const result = $(`<div>${code}</div>`)
+  // process style tags
+  result.find('style').each((key, value) => {
+    let html = $(value).html()
+    // unescape > symbel inside the style tags
+    html = html.replace(/&gt;/g, '>')
+    // remove css @import to prevent XSS
+    html = html.replace(/@import url\(([^)]*)\);?/gi, '')
+    $(value).html(html)
+  })
   // link should open in new window or tab
   result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
   // update continue line numbers
-- 
cgit v1.2.3