Fix to filter @import CSS syntax in style tag to prevent XSS [Security Issue]

This commit is contained in:
Wu Cheng-Han 2017-10-05 10:17:26 +08:00
parent b0b417cefc
commit d96385eafd

View file

@ -552,10 +552,6 @@ export function finishView (view) {
} catch (err) { } catch (err) {
console.warn(err) console.warn(err)
} }
// unescape > symbel inside the style tags
view.find('style').each((key, value) => {
$(value).html($(value).html().replace(/>/g, '>'))
})
// render title // render title
document.title = renderTitle(view) document.title = renderTitle(view)
} }
@ -563,6 +559,15 @@ export function finishView (view) {
// only static transform should be here // only static transform should be here
export function postProcess (code) { export function postProcess (code) {
const result = $(`<div>${code}</div>`) const result = $(`<div>${code}</div>`)
// process style tags
result.find('style').each((key, value) => {
let html = $(value).html()
// unescape > symbel inside the style tags
html = html.replace(/&gt;/g, '>')
// remove css @import to prevent XSS
html = html.replace(/@import url\(([^)]*)\);?/gi, '')
$(value).html(html)
})
// link should open in new window or tab // link should open in new window or tab
result.find('a:not([href^="#"]):not([target])').attr('target', '_blank') result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
// update continue line numbers // update continue line numbers