From 506103f90a4b6c96e2ea8cc95600368e8a7e2a8e Mon Sep 17 00:00:00 2001 From: Menci Date: Sat, 15 Apr 2017 23:01:14 +0800 Subject: [PATCH] Fix XSS --- package.json | 4 ++-- utility.js | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 66d4dae..6f808fb 100644 --- a/package.json +++ b/package.json @@ -26,6 +26,7 @@ "adm-zip": "^0.4.7", "ansi-to-html": "^0.4.2", "body-parser": "^1.15.2", + "cheerio": "^0.22.0", "cookie-parser": "^1.4.3", "download": "^5.0.3", "ejs": "^2.5.2", @@ -45,7 +46,6 @@ "session-file-store": "^1.0.0", "sqlite3": "^3.1.4", "syzoj-divine": "^1.0.0", - "tmp-promise": "^1.0.3", - "xssfilter": "^0.5.3" + "tmp-promise": "^1.0.3" } } diff --git a/utility.js b/utility.js index 4cdaf82..ba72067 100644 --- a/utility.js +++ b/utility.js @@ -72,9 +72,20 @@ module.exports = { return path.resolve.apply(null, a); }, markdown(obj, keys, noReplaceUI) { - let xssfilter = new (require('xssfilter'))(); + let cheerio = require('cheerio'); let replaceXSS = s => { - return xssfilter.filter(s); + let $ = cheerio.load(s); + $('script').remove(); + $('style').remove(); + $('*').each((i, elem) => { + let a = Object.getOwnPropertyNames(elem.attribs); + for (let key of a) { + if (key.startsWith('on')) { + $(elem).removeAttr(key); + } + } + }); + return $.html(); }; let replaceUI = s => { if (noReplaceUI) return s;