Add CSS filter for XSS

8 years ago · eb33109230
2 changed files with 15 additions and 0 deletions
--- a/package.json
+++ b/package.json
@ -28,6 +28,7 @@
    "body-parser": "^1.15.2",
    "cheerio": "^0.22.0",
    "cookie-parser": "^1.4.3",
+    "cssfilter": "0.0.10",
    "download": "^5.0.3",
    "ejs": "^2.5.2",
    "express": "^4.14.0",
--- a/utility.js
+++ b/utility.js
@ -73,6 +73,16 @@ module.exports = {
  },
  markdown(obj, keys, noReplaceUI) {
    let cheerio = require('cheerio');
+    let CSSFilter = require('cssfilter');
+    let cssfilter = new CSSFilter.FilterCSS({
+      whiteList: Object.assign({}, require('cssfilter/lib/default').whiteList, {
+        'vertical-align': true,
+        top: true,
+        bottom: true,
+        left: true,
+        right: true
+      })
+    });
    let replaceXSS = s => {
      let $ = cheerio.load(s);
      $('script').remove();
@ -85,6 +95,10 @@ module.exports = {
            $(elem).removeAttr(key);
          }
        }
+
+        if ($(elem).attr('style')) {
+          $(elem).attr('style', cssfilter.process($(elem).attr('style')));
+        }
      });
      return $.html();
    };