HackMD/public/js/render.js

// allow some attributes
var whiteListAttr = ['id', 'class', 'style'];
// allow link starts with '.', '/' and custom protocol with '://'
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
// allow data uri, from https://gist.github.com/bgrins/6194623
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i;
// custom white list
var whiteList = filterXSS.whiteList;
// allow ol specify start number
whiteList['ol'] = ['start'];
// allow style tag
whiteList['style'] = [];
// allow kbd tag
whiteList['kbd'] = [];
// allow ifram tag with some safe attributes
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'];

var filterXSSOptions = {
    allowCommentTag: true,
    whiteList: whiteList,
    escapeHtml: function (html) {
        // allow html comment in multiple lines
        return html.replace(/<(.*?)>/g, '&lt;$1&gt;');
    },
    onIgnoreTag: function (tag, html, options) {
        // allow comment tag
        if (tag == "!--") {
            // do not filter its attributes
            return html;
        }
    },
    onTagAttr: function (tag, name, value, isWhiteAttr) {
        // allow href and src that match linkRegex
        if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
        }
        // allow data uri in img src
        if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) {
            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
        }
    },
    onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
        // allow attr start with 'data-' or in the whiteListAttr
        if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
            // escape its value using built-in escapeAttrValue function
            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
        }
    }
};

function preventXSS(html) {
    return filterXSS(html, filterXSSOptions);
}
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`// allow some attributes`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 20:33:21 +00:00			`var whiteListAttr = ['id', 'class', 'style'];`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`// allow link starts with '.', '/' and custom protocol with '://'`
			`var linkRegex = /^([\w\|-]+:\/\/)\|^([\.\|\/])+/;`
Update to support data uri in src attribute of image tag 2016-08-15 03:00:02 +00:00			`// allow data uri, from https://gist.github.com/bgrins/6194623`
			`var dataUriRegex = /^\sdata:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()+;=\-._~:@\/?%\s])\s$/i;`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`// custom white list`
			`var whiteList = filterXSS.whiteList;`
			`// allow ol specify start number`
			`whiteList['ol'] = ['start'];`
			`// allow style tag`
			`whiteList['style'] = [];`
			`// allow kbd tag`
			`whiteList['kbd'] = [];`
			`// allow ifram tag with some safe attributes`
			`whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'];`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 20:33:21 +00:00
			`var filterXSSOptions = {`
			`allowCommentTag: true,`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`whiteList: whiteList,`
Fix XSS HTML replace might get wrong on the HTML comments in the code tags 2016-04-20 10:10:43 +00:00			`escapeHtml: function (html) {`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`// allow html comment in multiple lines`
Fix XSS HTML replace might get wrong on the HTML comments in the code tags 2016-04-20 10:10:43 +00:00			`return html.replace(/<(.*?)>/g, '<$1>');`
			`},`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 20:33:21 +00:00			`onIgnoreTag: function (tag, html, options) {`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`// allow comment tag`
			`if (tag == "!--") {`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 20:33:21 +00:00			`// do not filter its attributes`
			`return html;`
			`}`
			`},`
Update filter XSS to allow attr href starts with '.' or '/' 2016-04-20 10:18:52 +00:00			`onTagAttr: function (tag, name, value, isWhiteAttr) {`
Update XSS policy to allow iframe and link with custom protocol 2016-08-14 10:32:22 +00:00			`// allow href and src that match linkRegex`
			`if (isWhiteAttr && (name === 'href' \|\| name === 'src') && linkRegex.test(value)) {`
Update filter XSS to allow attr href starts with '.' or '/' 2016-04-20 10:18:52 +00:00			`return name + '="' + filterXSS.escapeAttrValue(value) + '"';`
			`}`
Update to support data uri in src attribute of image tag 2016-08-15 03:00:02 +00:00			`// allow data uri in img src`
			`if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) {`
			`return name + '="' + filterXSS.escapeAttrValue(value) + '"';`
			`}`
Update filter XSS to allow attr href starts with '.' or '/' 2016-04-20 10:18:52 +00:00			`},`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 20:33:21 +00:00			`onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {`
			`// allow attr start with 'data-' or in the whiteListAttr`
			`if (name.substr(0, 5) === 'data-' \|\| whiteListAttr.indexOf(name) !== -1) {`
			`// escape its value using built-in escapeAttrValue function`
			`return name + '="' + filterXSS.escapeAttrValue(value) + '"';`
Fixed prevent XSS might break lots of tags and only need after rendered 2016-02-11 09:45:13 +00:00			`}`
Updated XSS filter options to allow style tag and style attribute 2016-02-11 20:33:21 +00:00			`}`
			`};`

			`function preventXSS(html) {`
			`return filterXSS(html, filterXSSOptions);`
Fixed prevent XSS might break lots of tags and only need after rendered 2016-02-11 09:45:13 +00:00			`}`