Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge branch 'master' of https://github.com/chrisi51/wekan into chrisi51-master

Lauri Ojansivu 3 years ago
parent
62bfa75cf7 ea60d5a205
commit
9cfbd7b37d
2 changed files with 41 additions and 4 deletions
Split View Show Diff Stats
  1. 41 1
      packages/markdown/src/template-integration.js
  2. 0 3
      releases/delete-phantomjs.sh

+ 41 - 1
packages/markdown/src/template-integration.js
View File 

@@ -9,7 +9,7 @@ var Markdown = require('markdown-it')({
 
 
 import markdownItMermaid from "@liradb2000/markdown-it-mermaid";
 
 
-/*
 
+
 
 // Static URL Scheme Listing
 
 var urlschemes = [
 
   "aodroplink",
 
@@ -22,6 +22,10 @@ var urlschemes = [
 
   "mailspring"
 
 ];
 
 
+
 
+
 
+
 
+
 
 // Better would be a field in the admin backend to set this dynamically
 
 // instead of putting all known or wanted url schemes here hard into code
 
 // but i was not able to access those settings
 
@@ -33,6 +37,42 @@ for(var i=0; i<urlschemes.length;i++){
 
   Markdown.linkify.add(urlschemes[i]+":",'http:');
 
 }
 
 
+
 
+// build fitting regex
 
+var regex = RegExp('^(' + urlschemes.join('|') + '):', 'gim');
 
+
 
+// Add a hook to enforce URI scheme allow-list
 
+DOMPurify.addHook('afterSanitizeAttributes', function (node) {
 
+  // build an anchor to map URLs to
 
+  var anchor = document.createElement('a');
 
+
 
+  // check all href attributes for validity
 
+  if (node.hasAttribute('href')) {
 
+    anchor.href = node.getAttribute('href');
 
+    if (anchor.protocol && !anchor.protocol.match(regex)) {
 
+      node.removeAttribute('href');
 
+    }
 
+  }
 
+  // check all action attributes for validity
 
+  if (node.hasAttribute('action')) {
 
+    anchor.href = node.getAttribute('action');
 
+    if (anchor.protocol && !anchor.protocol.match(regex)) {
 
+      node.removeAttribute('action');
 
+    }
 
+  }
 
+  // check all xlink:href attributes for validity
 
+  if (node.hasAttribute('xlink:href')) {
 
+    anchor.href = node.getAttribute('xlink:href');
 
+    if (anchor.protocol && !anchor.protocol.match(regex)) {
 
+      node.removeAttribute('xlink:href');
 
+    }
 
+  }
 
+});
 
+
 
+
 
+
 
+
 
+/*
 
 // Additional  safeAttrValue function to allow for other specific protocols
 
 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
 
 function mySafeAttrValue(tag, name, value, cssFilter) {

+ 0 - 3
releases/delete-phantomjs.sh
View File 

@@ -1,3 +0,0 @@
 
-cd ~/repos/wekan/.build
 
-find . -name "*phantomjs*" | xargs rm -rf
 
-cd ~/repos/wekan