Преглед изворни кода

Merge branch 'master' of https://github.com/chrisi51/wekan into chrisi51-master

Lauri Ojansivu пре 4 година
родитељ
комит
9cfbd7b37d
2 измењених фајлова са 41 додато и 4 уклоњено
  1. 41 1
      packages/markdown/src/template-integration.js
  2. 0 3
      releases/delete-phantomjs.sh

+ 41 - 1
packages/markdown/src/template-integration.js

@@ -9,7 +9,7 @@ var Markdown = require('markdown-it')({
 
 import markdownItMermaid from "@liradb2000/markdown-it-mermaid";
 
-/*
+
 // Static URL Scheme Listing
 var urlschemes = [
   "aodroplink",
@@ -22,6 +22,10 @@ var urlschemes = [
   "mailspring"
 ];
 
+
+
+
+
 // Better would be a field in the admin backend to set this dynamically
 // instead of putting all known or wanted url schemes here hard into code
 // but i was not able to access those settings
@@ -33,6 +37,42 @@ for(var i=0; i<urlschemes.length;i++){
   Markdown.linkify.add(urlschemes[i]+":",'http:');
 }
 
+
+// build fitting regex
+var regex = RegExp('^(' + urlschemes.join('|') + '):', 'gim');
+
+// Add a hook to enforce URI scheme allow-list
+DOMPurify.addHook('afterSanitizeAttributes', function (node) {
+  // build an anchor to map URLs to
+  var anchor = document.createElement('a');
+
+  // check all href attributes for validity
+  if (node.hasAttribute('href')) {
+    anchor.href = node.getAttribute('href');
+    if (anchor.protocol && !anchor.protocol.match(regex)) {
+      node.removeAttribute('href');
+    }
+  }
+  // check all action attributes for validity
+  if (node.hasAttribute('action')) {
+    anchor.href = node.getAttribute('action');
+    if (anchor.protocol && !anchor.protocol.match(regex)) {
+      node.removeAttribute('action');
+    }
+  }
+  // check all xlink:href attributes for validity
+  if (node.hasAttribute('xlink:href')) {
+    anchor.href = node.getAttribute('xlink:href');
+    if (anchor.protocol && !anchor.protocol.match(regex)) {
+      node.removeAttribute('xlink:href');
+    }
+  }
+});
+
+
+
+
+/*
 // Additional  safeAttrValue function to allow for other specific protocols
 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
 function mySafeAttrValue(tag, name, value, cssFilter) {

+ 0 - 3
releases/delete-phantomjs.sh

@@ -1,3 +0,0 @@
-cd ~/repos/wekan/.build
-find . -name "*phantomjs*" | xargs rm -rf
-cd ~/repos/wekan