FIX: XSS in markdown converter.

This commit is contained in:
Robin Ward 2014-04-28 14:43:49 -04:00
parent 495f78f574
commit ba683bc611
2 changed files with 4 additions and 3 deletions

View File

@ -42,7 +42,6 @@ function processTextNodes(node, event, emitter) {
for (var j=1; j<node.length; j++) { for (var j=1; j<node.length; j++) {
var textContent = node[j]; var textContent = node[j];
if (typeof textContent === "string") { if (typeof textContent === "string") {
if (dialect.options.sanitize && !skipSanitize[textContent]) { if (dialect.options.sanitize && !skipSanitize[textContent]) {
textContent = Discourse.Markdown.sanitize(textContent); textContent = Discourse.Markdown.sanitize(textContent);
} }
@ -63,9 +62,9 @@ function processTextNodes(node, event, emitter) {
} }
} }
} }
/** /**
Parse a JSON ML tree, using registered handlers to adjust it if necessary. Parse a JSON ML tree, using registered handlers to adjust it if necessary.
@ -96,7 +95,7 @@ function parseTree(tree, path, insideCounts) {
insideCounts[tagName] = (insideCounts[tagName] || 0) + 1; insideCounts[tagName] = (insideCounts[tagName] || 0) + 1;
if (n && n.length === 2 && n[0] === "p" && /^<!--([\s\S]*)-->$/m.exec(n[1])) { if (n && n.length === 2 && n[0] === "p" && /^<!--([\s\S]*)-->$/.exec(n[1])) {
// Remove paragraphs around comment-only nodes. // Remove paragraphs around comment-only nodes.
tree[i] = n[1]; tree[i] = n[1];
} else { } else {

View File

@ -354,6 +354,8 @@ test("sanitize", function() {
equal(sanitize("<canvas>draw me!</canvas>"), "draw me!"); equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS"); cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i><br/>&lt;!-- --&gt;</p>", "it doesn't circumvent XSS with comments");
}); });
test("URLs in BBCode tags", function() { test("URLs in BBCode tags", function() {