Fix to filter @import CSS syntax in style tag to prevent XSS [Security Issue]
This commit is contained in:
Wu Cheng-Han
parent
b0b417cefc
commit
d96385eafd
1 changed files with 9 additions and 4 deletions
|
|
@ -552,10 +552,6 @@ export function finishView (view) {
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.warn(err)
|
console.warn(err)
|
||||||
}
|
}
|
||||||
// unescape > symbel inside the style tags
|
|
||||||
view.find('style').each((key, value) => {
|
|
||||||
$(value).html($(value).html().replace(/>/g, '>'))
|
|
||||||
})
|
|
||||||
// render title
|
// render title
|
||||||
document.title = renderTitle(view)
|
document.title = renderTitle(view)
|
||||||
}
|
}
|
||||||
|
|
@ -563,6 +559,15 @@ export function finishView (view) {
|
||||||
// only static transform should be here
|
// only static transform should be here
|
||||||
export function postProcess (code) {
|
export function postProcess (code) {
|
||||||
const result = $(`<div>${code}</div>`)
|
const result = $(`<div>${code}</div>`)
|
||||||
|
// process style tags
|
||||||
|
result.find('style').each((key, value) => {
|
||||||
|
let html = $(value).html()
|
||||||
|
// unescape > symbel inside the style tags
|
||||||
|
html = html.replace(/>/g, '>')
|
||||||
|
// remove css @import to prevent XSS
|
||||||
|
html = html.replace(/@import url\(([^)]*)\);?/gi, '')
|
||||||
|
$(value).html(html)
|
||||||
|
})
|
||||||
// link should open in new window or tab
|
// link should open in new window or tab
|
||||||
result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
|
result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
|
||||||
// update continue line numbers
|
// update continue line numbers
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue