public/Boostnote
1
0
Fork 0
mirror of https://github.com/BoostIo/Boostnote synced 2025-12-14 10:16:26 +00:00
Code Issues Releases Wiki Activity

- fix lint errors

Browse Source 
- correctly parse self-closed tag
- fix naughty functions
This commit is contained in:
Baptiste Augrain
2018-08-25 23:36:43 +02:00
parent 3bdc88cecb
commit fabc975b20
1 changed files with 23 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
browser/lib/markdown-it-sanitize-html.js
View File

@@ -37,18 +37,18 @@ module.exports = function sanitizePlugin (md, options) {
}) })
} }
const tag_regex = /<([A-Z][A-Z0-9]*)\s*((?:\s*[A-Z][A-Z0-9]*(?:="(?:[^\"]+)\")?)*)\s*>|<\/([A-Z][A-Z0-9]*)\s*>/i const tagRegex = /<([A-Z][A-Z0-9]*)\s*((?:\s*[A-Z][A-Z0-9]*(?:="(?:[^\"]+)\")?)*)\s*\/?>|<\/([A-Z][A-Z0-9]*)\s*>/i
const attributes_regex = /([A-Z][A-Z0-9]*)(="[^\"]+\")?/ig const attributesRegex = /([A-Z][A-Z0-9]*)(="[^\"]+\")?/ig
function sanitizeInline (html, options) { function sanitizeInline (html, options) {
let match = tag_regex.exec(html) let match = tagRegex.exec(html)
if (!match) { if (!match) {
return '' return ''
} }
const { allowedTags, allowedAttributes, allowedIframeHostnames, selfClosing, allowedSchemesAppliedToAttributes } = options const { allowedTags, allowedAttributes, selfClosing, allowedSchemesAppliedToAttributes } = options
if (match[1] !== null) { if (match[1] !== undefined) {
// opening tag // opening tag
const tag = match[1].toLowerCase() const tag = match[1].toLowerCase()
if (allowedTags.indexOf(tag) === -1) { if (allowedTags.indexOf(tag) === -1) {
@@ -61,13 +61,13 @@ function sanitizeInline(html, options) {
let name let name
let value let value
while ((match = attributes_regex.exec(attributes))) { while ((match = attributesRegex.exec(attributes))) {
name = match[1].toLowerCase() name = match[1].toLowerCase()
value = match[2] value = match[2]
if (allowedAttributes['*'].indexOf(name) !== -1 || (allowedAttributes[tag] && allowedAttributes[tag].indexOf(name) !== -1)) { if (allowedAttributes['*'].indexOf(name) !== -1 || (allowedAttributes[tag] && allowedAttributes[tag].indexOf(name) !== -1)) {
if (allowedSchemesAppliedToAttributes.indexOf(name) !== -1) { if (allowedSchemesAppliedToAttributes.indexOf(name) !== -1) {
if (naughtyHRef(value) || (tag === 'iframe' && name === 'src' && naughtyIFrame(value))) { if (naughtyHRef(value, options) || (tag === 'iframe' && name === 'src' && naughtyIFrame(value, options))) {
continue continue
} }
} }
@@ -91,8 +91,8 @@ function sanitizeInline(html, options) {
} }
} }
function naughtyHRef(name, href, options) { function naughtyHRef (href, options) {
href = href.replace(/[\x00-\x20]+/g, '') // href = href.replace(/[\x00-\x20]+/g, '')
href = href.replace(/<\!\-\-.*?\-\-\>/g, '') href = href.replace(/<\!\-\-.*?\-\-\>/g, '')
const matches = href.match(/^([a-zA-Z]+)\:/) const matches = href.match(/^([a-zA-Z]+)\:/)
@@ -110,11 +110,11 @@ function naughtyHRef(name, href, options) {
return options.allowedSchemes.indexOf(scheme) === -1 return options.allowedSchemes.indexOf(scheme) === -1
} }
function naughtyIFrame(src) { function naughtyIFrame (src, options) {
try { try {
const parsed = url.parse(src, false, true) const parsed = url.parse(src, false, true)
return allowedIframeHostnames.index(parsed.hostname) === -1 return options.allowedIframeHostnames.index(parsed.hostname) === -1
} catch (e) { } catch (e) {
return true return true
} }