infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Merge branch 'master' of https://git.xwikisas.com/xwiki-labs/cryptpad

Browse Source
pull/1/head
ansuz 6 years ago
parent d407f9af74 ab35d6b778
commit 1b83431382
3 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File

6
www/bounce/main.js
Unescape Escape View File

@ -9,6 +9,12 @@ define(['/api/config'], function (ApiConfig) {
window.alert('The bounce application must only be used with a valid href to visit'); window.alert('The bounce application must only be used with a valid href to visit');
return; return;
} }
if (bounceTo.indexOf('javascript:') === 0 || // jshint ignore:line
bounceTo.indexOf('vbscript:') === 0 || // jshint ignore:line
bounceTo.indexOf('data:') === 0) {
window.alert('Illegal bounce URL');
return;
}
window.opener = null; window.opener = null;
window.location.href = bounceTo; window.location.href = bounceTo;
}); });

20
www/common/diffMarked.js
Unescape Escape View File

@ -28,12 +28,17 @@ define([
}; };
Marked.setOptions({ Marked.setOptions({
//sanitize: true, // Disable HTML
renderer: renderer, renderer: renderer,
highlight: highlighter(), highlight: highlighter(),
}); });
DiffMd.render = function (md) {
return Marked(md);
DiffMd.render = function (md, sanitize) {
return Marked(md, {
sanitize: sanitize
});
}; };
var mediaMap = {}; var mediaMap = {};
@ -101,8 +106,9 @@ define([
'IFRAME', 'IFRAME',
'OBJECT', 'OBJECT',
'APPLET', 'APPLET',
//'VIDEO', // privacy implications of videos are the same as images 'VIDEO', // privacy implications of videos are the same as images
//'AUDIO', // same with audio 'AUDIO', // same with audio
'SVG'
]; ];
var unsafeTag = function (info) { var unsafeTag = function (info) {
/*if (info.node && $(info.node).parents('media-tag').length) { /*if (info.node && $(info.node).parents('media-tag').length) {
@ -117,10 +123,10 @@ define([
} }
if (['addElement', 'replaceElement'].indexOf(info.diff.action) !== -1) { if (['addElement', 'replaceElement'].indexOf(info.diff.action) !== -1) {
var msg = "Rejecting forbidden tag of type (%s)"; var msg = "Rejecting forbidden tag of type (%s)";
if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName) !== -1) { if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName.toUpperCase()) !== -1) {
console.log(msg, info.diff.element.nodeName); console.log(msg, info.diff.element.nodeName);
return true; return true;
} else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName) !== -1) { } else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName.toUpperCase()) !== -1) {
console.log("Replacing restricted element type (%s) with PRE", info.diff.newValue.nodeName); console.log("Replacing restricted element type (%s) with PRE", info.diff.newValue.nodeName);
info.diff.newValue.nodeName = 'PRE'; info.diff.newValue.nodeName = 'PRE';
} }
@ -142,7 +148,7 @@ define([
var removeForbiddenTags = function (root) { var removeForbiddenTags = function (root) {
if (!root) { return; } if (!root) { return; }
if (forbiddenTags.indexOf(root.nodeName) !== -1) { removeNode(root); } if (forbiddenTags.indexOf(root.nodeName.toUpperCase()) !== -1) { removeNode(root); }
slice(root.children).forEach(removeForbiddenTags); slice(root.children).forEach(removeForbiddenTags);
}; };

18
www/contacts/messenger-ui.js
Unescape Escape View File

@ -4,9 +4,8 @@ define([
'/common/common-util.js', '/common/common-util.js',
'/common/common-interface.js', '/common/common-interface.js',
'/common/hyperscript.js', '/common/hyperscript.js',
'/bower_components/marked/marked.min.js', '/common/diffMarked.js',
'/common/media-tag.js', ], function ($, Messages, Util, UI, h, DiffMd) {
], function ($, Messages, Util, UI, h, Marked, MediaTag) {
'use strict'; 'use strict';
var debug = console.log; var debug = console.log;
@ -138,12 +137,14 @@ define([
$(window).on('resize', onResize); $(window).on('resize', onResize);
var m = function (md, hour) { var m = function (md, hour) {
var d = h('div.cp-app-contacts-content'); var id = Util.createRandomInteger();
var d = h('div', {
id: 'msg-'+id
});
try { try {
d.innerHTML = Marked(md || '');
var $d = $(d); var $d = $(d);
// remove potentially malicious elements DiffMd.apply(DiffMd.render(md || '', true), $d, common);
$d.find('script, iframe, object, applet, video, audio').remove(); $d.addClass("cp-app-contacts-content");
// override link clicking, because we're in an iframe // override link clicking, because we're in an iframe
$d.find('a').each(function () { $d.find('a').each(function () {
@ -153,9 +154,6 @@ define([
}).attr('href'); }).attr('href');
}); });
// activate media-tags
$d.find('media-tag').each(function (i, e) { MediaTag(e); });
var time = h('div.cp-app-contacts-time', hour); var time = h('div.cp-app-contacts-time', hour);
$d.append(time); $d.append(time);
} catch (e) { } catch (e) {

Write Preview
Loading…
Cancel
Save