proxmox-mirrors/proxmox-widget-toolkit
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox-widget-toolkit synced 2025-05-29 08:40:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

markdown: encode bad nodes HTML instead of pruning it

Browse Source 
As pruning means content an user wrote into the box, even if with
malicious intend, gets hidden and that can be quite confusing..

So rather get the outerHTML, transform it with ExtJS's htmlEncode and
set it again.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2021-07-04 19:22:38 +02:00
parent 65f4704b62
commit 71bc0913bd
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Parser.js
View File

@ -3,7 +3,7 @@ Ext.define('Proxmox.Markdown', {
alternateClassName: 'Px.Markdown', // just trying out something, do NOT copy this line
singleton: true,
// transforms HTML to a DOM tree and recursively descends and prunes every branch with a
// transforms HTML to a DOM tree and recursively descends and HTML-encodes every branch with a
// "bad" node.type and drops "bad" attributes from the remaining nodes.
// "bad" means anything which can do XSS or break the layout of the outer page
sanitizeHTML: function(input) {
@ -14,7 +14,8 @@ Ext.define('Proxmox.Markdown', {
_sanitize = (node) => {
if (node.nodeType === 3) return;
if (node.nodeType !== 1 || /^(script|iframe|object|embed|svg)$/i.test(node.tagName)) {
node.remove();
// could do node.remove() instead, but it's nicer UX if we keep the (encoded!) html
node.outerHTML = Ext.String.htmlEncode(node.outerHTML);
return;
}
for (let i=node.attributes.length; i--;) {