Browse Source

Fix XSS

master
Menci 8 years ago
parent
commit
506103f90a
  1. 4
      package.json
  2. 15
      utility.js

4
package.json

@ -26,6 +26,7 @@
"adm-zip": "^0.4.7",
"ansi-to-html": "^0.4.2",
"body-parser": "^1.15.2",
"cheerio": "^0.22.0",
"cookie-parser": "^1.4.3",
"download": "^5.0.3",
"ejs": "^2.5.2",
@ -45,7 +46,6 @@
"session-file-store": "^1.0.0",
"sqlite3": "^3.1.4",
"syzoj-divine": "^1.0.0",
"tmp-promise": "^1.0.3",
"xssfilter": "^0.5.3"
"tmp-promise": "^1.0.3"
}
}

15
utility.js

@ -72,9 +72,20 @@ module.exports = {
return path.resolve.apply(null, a);
},
markdown(obj, keys, noReplaceUI) {
let xssfilter = new (require('xssfilter'))();
let cheerio = require('cheerio');
let replaceXSS = s => {
return xssfilter.filter(s);
let $ = cheerio.load(s);
$('script').remove();
$('style').remove();
$('*').each((i, elem) => {
let a = Object.getOwnPropertyNames(elem.attribs);
for (let key of a) {
if (key.startsWith('on')) {
$(elem).removeAttr(key);
}
}
});
return $.html();
};
let replaceUI = s => {
if (noReplaceUI) return s;

Loading…
Cancel
Save