Merge pull request #1 from alromh87/master

Merging fix on-behalf of @alromh87 (034-js-editor-md).
nanguoyu · Apr 3, 2020 · 2da440a · 2da440a
2 parents 63786e6 + 0c6cdde
commit 2da440a
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 45 deletions.
diff --git a/README.md b/README.md
@@ -40,8 +40,8 @@
 - 支持 AMD / CMD 模块化加载（支持 [Require.js](https://pandao.github.io/editor.md/examples/use-requirejs.html) & [Sea.js](https://pandao.github.io/editor.md/examples/use-seajs.html)），并且支持[自定义扩展插件](https://pandao.github.io/editor.md/examples/define-plugin.html)；
 - 兼容主流的浏览器（IE8+）和 [Zepto.js](https://pandao.github.io/editor.md/examples/use-zepto.html)，且支持 iPad 等平板设备；
 
-#### Download & install
-
+#### Download & install
+
 Download:
 
 [Github download](https://github.com/pandao/editor.md/archive/master.zip)
@@ -58,23 +58,23 @@ Bower install :
 bower install editor.md
 ```
 
-#### Usages
-
+#### Usages
+
 ##### Create a Markdown editor
 
 ```html
 <link rel="stylesheet" href="editor.md/css/editormd.min.css" />
-<div id="editor">
+<div id="editor">
     <!-- Tips: Editor.md can auto append a `<textarea>` tag -->
     <textarea style="display:none;">### Hello Editor.md !</textarea>
 </div>
 <script src="jquery.min.js"></script>
 <script src="editor.md/editormd.min.js"></script>
 <script type="text/javascript">
     $(function() {
-        var editor = editormd("editor", {
-            // width: "100%",
-            // height: "100%",
+        var editor = editormd("editor", {
+            // width: "100%",
+            // height: "100%",
             // markdown: "xxxx",     // dynamic set Markdown text
             path : "editor.md/lib/"  // Autoload modules mode, codemirror, marked... dependents libs path
         });
@@ -85,13 +85,13 @@ bower install editor.md
 If you using modular script loader:
 
 - [Using Require.js](https://github.com/pandao/editor.md/tree/master/examples/use-requirejs.html)
-- [Using Sea.js](https://github.com/pandao/editor.md/tree/master/examples/use-seajs.html)
-
-##### Markdown to HTML
-
+- [Using Sea.js](https://github.com/pandao/editor.md/tree/master/examples/use-seajs.html)
+
+##### Markdown to HTML
+
 ```html
 <link rel="stylesheet" href="editormd/css/editormd.preview.css" />
-<div id="test-markdown-view">
+<div id="test-markdown-view">
     <!-- Server-side output Markdown text -->
     <textarea style="display:none;">### Hello world!</textarea>             
 </div>
@@ -104,27 +104,27 @@ If you using modular script loader:
 	    var testView = editormd.markdownToHTML("test-markdown-view", {
             // markdown : "[TOC]\n### Hello world!\n## Heading 2", // Also, you can dynamic set Markdown text
             // htmlDecode : true,  // Enable / disable HTML tag encode.
-            // htmlDecode : "style,script,iframe",  // Note: If enabled, you should filter some dangerous HTML tags for website security.
-        });
-    });
-</script>    
-```
-
-> See the full example: [http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html](http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html)
-
-##### HTML to Markdown?
-
+            // htmlDecode : "style,script,iframe|on*",  // Note: If enabled, you should filter some dangerous HTML tags for website security, you can also filter trigers.
+        });
+    });
+</script>    
+```
+
+> See the full example: [http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html](http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html)
+
+##### HTML to Markdown?
+
 Sorry, Editor.md not support HTML to Markdown parsing, Maybe In the future.
 
 #### Examples
 
-[https://pandao.github.io/editor.md/examples/index.html](https://pandao.github.io/editor.md/examples/index.html)
-
-#### Options
-
-Editor.md options and default values:
-
-```javascript
+[https://pandao.github.io/editor.md/examples/index.html](https://pandao.github.io/editor.md/examples/index.html)
+
+#### Options
+
+Editor.md options and default values:
+
+```javascript
 {
     mode                 : "gfm",          // gfm or markdown
     name                 : "",             // Form element name for post
@@ -229,19 +229,36 @@ Editor.md options and default values:
         name        : "zh-cn",
         description : "开源在线Markdown编辑器<br/>Open source online Markdown editor.",
         tocTitle    : "目录",
-        toolbar     : {
-            //...
-        },
-        button: {
-            //...
+        toolbar     : {
+            //...
+        },
+        button: {
+            //...
         },
-        dialog : {
-            //...
-        }
-        //...
-    }
-}
+        dialog : {
+            //...
+        }
+        //...
+    }
+}
+```
+
+#### Avoid XSS
+
+Script and events are disabled by default to avoid XSS
+
+If you want to enable you need to pass in htmlDecode:
+
+allowScript as FilterTag
+allowOn as FilterAttribute
+
 ```
+htmlDecode : "allowScript|allowOn"
+```
+
+extra filters can be set in coma separated list format
+
+Be warned that enabled scripting can be dangerous and lead to [XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting)
 
 #### Dependents
 

diff --git a/src/editormd.js b/src/editormd.js
@@ -3804,13 +3804,20 @@
         }
 
         if (typeof filters !== "string") {
-            return html;
+            // If no filters set use "script|on*" by default to avoid XSS
+            filters = "script|on*";
         }
 
         var expression = filters.split("|");
         var filterTags = expression[0].split(",");
         var attrs      = expression[1];
 
+        if(!filterTags.includes('allowScript') && !filterTags.includes('script'))
+        {
+            // Only allow script if requested specifically
+            filterTags.push('script');
+        }
+
         for (var i = 0, len = filterTags.length; i < len; i++)
         {
             var tag = filterTags[i];
@@ -3820,18 +3827,34 @@
 
         //return html;
 
+        if (typeof attrs === "undefined")
+        {
+            // If no attrs set block "on*" to avoid XSS
+            attrs = "on*"
+        }
+
         if (typeof attrs !== "undefined")
         {
             var htmlTagRegex = /\<(\w+)\s*([^\>]*)\>([^\>]*)\<\/(\w+)\>/ig;
 
+            var filterAttrs = attrs.split(",");
+            var filterOn = true;
+
+            if(filterAttrs.includes('allowOn'))
+            {
+                // Only allow on* if requested specifically
+                filterOn = false;
+            }
+
             if (attrs === "*")
             {
                 html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) {
                     return "<" + $2 + ">" + $4 + "</" + $5 + ">";
                 });         
             }
-            else if (attrs === "on*")
+            else if ((attrs === "on*") || filterOn)
             {
+
                 html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) {
                     var el = $("<" + $2 + ">" + $4 + "</" + $5 + ">");
                     var _attrs = $($1)[0].attributes;
@@ -3854,10 +3877,9 @@
                     return el[0].outerHTML + text;
                 });
             }
-            else
+            if(filterAttrs.length > 1 || (filterAttrs[0]!=="*" && filterAttrs[0]!=="on*"))
             {
                 html = html.replace(htmlTagRegex, function($1, $2, $3, $4) {
-                    var filterAttrs = attrs.split(",");
                     var el = $($1);
                     el.html($4);