Skip to content

Commit

Permalink
security: #556 XSS attack
Browse files Browse the repository at this point in the history
  • Loading branch information
JiHong88 committed Nov 11, 2020
1 parent c050db2 commit c0d1776
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 69 deletions.
28 changes: 0 additions & 28 deletions sample/html/out/document-editor.html
Original file line number Diff line number Diff line change
Expand Up @@ -2171,33 +2171,6 @@ <h5>Parameters:</h5>
<dl class="details"></dl>


<h4 class="name" id="convertContentsForEditor"><span class="type-signature"></span>convertContentsForEditor<span class="signature">(contents)</span><span
class="type-signature"> &rarr; {String}</span></h4>
<div class="description">
Converts contents into a format that can be placed in an editor.
</div>
<h5>Parameters:</h5>
<table class="params">
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th class="last">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="name"><code>contents</code></td>
<td class="type">
<span class="param-type">String</span>
</td>
<td class="description last">Contents</td>
</tr>
</tbody>
</table>
<dl class="details"></dl>


<h4 class="name" id="convertHTMLForCodeView"><span class="type-signature"></span>convertHTMLForCodeView<span class="signature">(html)</span><span
class="type-signature"> &rarr; {String}</span></h4>
<div class="description">
Expand Down Expand Up @@ -2321,7 +2294,6 @@ <h3>core</h3>
<li><a href="document-editor.html#getCharLength">getCharLength</a></li>
<li><a href="document-editor.html#addDocEvent">addDocEvent</a></li>
<li><a href="document-editor.html#removeDocEvent">removeDocEvent</a></li>
<li><a href="document-editor.html#convertContentsForEditor">convertContentsForEditor</a></li>
<li><a href="document-editor.html#convertHTMLForCodeView">convertHTMLForCodeView</a></li>
</ul>
</nav>
Expand Down
7 changes: 0 additions & 7 deletions src/lib/core.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -531,13 +531,6 @@ interface Core {
* @returns
*/
cleanHTML(html: string, whitelist?: string | RegExp): string;

/**
* @description Converts contents into a format that can be placed in an editor
* @param contents contents
* @returns
*/
convertContentsForEditor(contents: string): string;

/**
* @description Converts wysiwyg area element into a format that can be placed in an editor of code view mode
Expand Down
42 changes: 8 additions & 34 deletions src/lib/core.js
Original file line number Diff line number Diff line change
Expand Up @@ -4148,7 +4148,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
}

this._wd.head.innerHTML = parseDocument.head.innerHTML;
this._wd.body.innerHTML = this.convertContentsForEditor(parseDocument.body.innerHTML);
this._wd.body.innerHTML = this.cleanHTML(parseDocument.body.innerHTML, null);

const attrs = parseDocument.body.attributes;
for (let i = 0, len = attrs.length; i < len; i++) {
Expand All @@ -4162,7 +4162,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
}
}
} else {
context.element.wysiwyg.innerHTML = code_html.length > 0 ? this.convertContentsForEditor(code_html) : '<' + options.defaultTag + '><br></' + options.defaultTag + '>';
context.element.wysiwyg.innerHTML = code_html.length > 0 ? this.cleanHTML(code_html, null) : '<' + options.defaultTag + '><br></' + options.defaultTag + '>';
}
},

Expand Down Expand Up @@ -4414,7 +4414,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
setContents: function (html) {
this.removeRange();

const convertValue = (html === null || html === undefined) ? '' : this.convertContentsForEditor(html);
const convertValue = (html === null || html === undefined) ? '' : this.cleanHTML(html, null);
this._resetComponents();

if (!this._variable.isCodeView) {
Expand All @@ -4434,7 +4434,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
setIframeContents: function (ctx) {
if (!options.iframe) return false;
if (ctx.head) this._wd.head.innerHTML = ctx.head.replace(/<script\s*.*>.*<\/script>/g, '');
if (ctx.body) this._wd.body.innerHTML = this.convertContentsForEditor(ctx.body);
if (ctx.body) this._wd.body.innerHTML = this.cleanHTML(ctx.body, null);
},

/**
Expand Down Expand Up @@ -4465,7 +4465,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re

/**
* @description Returns HTML string according to tag type and configuration.
* Use only "cleanHTML", "convertContentsForEditor"
* Use only "cleanHTML"
* @param {Node} node Node
* @param {Boolean} requireFormat If true, text nodes that do not have a format node is wrapped with the format tag.
* @private
Expand Down Expand Up @@ -4532,7 +4532,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
/**
* @description Gets the clean HTML code for editor
* @param {String} html HTML string
* @param {String|RegExp} whitelist Regular expression of allowed tags.
* @param {String|RegExp|null} whitelist Regular expression of allowed tags.
* RegExp object is create by util.createTagsWhitelist method. (core.pasteTagsWhitelistRegExp)
* @returns {String}
*/
Expand Down Expand Up @@ -4605,32 +4605,6 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
return this._tagConvertor(!cleanHTML ? html : !whitelist ? cleanHTML : cleanHTML.replace(typeof whitelist === 'string' ? util.createTagsWhitelist(whitelist) : whitelist, ''));
},

/**
* @description Converts contents into a format that can be placed in an editor
* @param {String} contents contents
* @returns {String}
*/
convertContentsForEditor: function (contents) {
const dom = _d.createRange().createContextualFragment(this._deleteDisallowedTags(contents));

try {
util._consistencyCheckOfHTML(dom, this._htmlCheckWhitelistRegExp);
} catch (error) {
console.warn('[SUNEDITOR.convertContentsForEditor.consistencyCheck.fail] ' + error);
}

const domTree = dom.childNodes;
let cleanHTML = '';
for (let i = 0, len = domTree.length; i < len; i++) {
cleanHTML += this._makeLine(domTree[i], true);
}

if (cleanHTML.length === 0) return '<' + options.defaultTag + '><br></' + options.defaultTag + '>';

cleanHTML = util.htmlRemoveWhiteSpace(cleanHTML);
return this._tagConvertor(cleanHTML);
},

/**
* @description Converts wysiwyg area element into a format that can be placed in an editor of code view mode
* @param {Element|String} html WYSIWYG element (context.element.wysiwyg) or HTML string.
Expand Down Expand Up @@ -5014,7 +4988,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
* @private
*/
_initWysiwygArea: function (reload, _initHTML) {
context.element.wysiwyg.innerHTML = reload ? _initHTML : this.convertContentsForEditor(typeof _initHTML === 'string' ? _initHTML : context.element.originElement.value);
context.element.wysiwyg.innerHTML = reload ? _initHTML : this.cleanHTML(typeof _initHTML === 'string' ? _initHTML : context.element.originElement.value, null);
},

/**
Expand Down Expand Up @@ -7503,7 +7477,7 @@ export default function (context, pluginCallButtons, plugins, lang, options, _re
* @param {String} contents Contents to Input
*/
appendContents: function (contents) {
const convertValue = core.convertContentsForEditor(contents);
const convertValue = core.cleanHTML(contents, null);

if (!core._variable.isCodeView) {
const temp = util.createElement('DIV');
Expand Down

0 comments on commit c0d1776

Please sign in to comment.