Add a filter to catch XSS-like entities and also stub a on-load test which would otherwise make pads inaccessable.

pull/1/head
Caleb James DeLisle 7 years ago
parent 638a94785f
commit b0b1ed037c

@ -313,6 +313,10 @@ define([
if (!readOnly && !initializing) {
userDocStateDom.setAttribute("contenteditable", "true"); // lol wtf
}
$(userDocStateDom).find('script, applet, object, iframe').remove();
$(userDocStateDom).find('a').filter(function (i, x) {
return ! /^(https|http|ftp):\/\/[^\s\n]*$/.test(x.getAttribute('href'));
}).remove();
var patch = (DD).diff(inner, userDocStateDom);
(DD).apply(inner, patch);
if (readOnly) {
@ -625,8 +629,10 @@ define([
if (stringify(hjson2) !== stringify(hjson)) {
console.log('err');
console.error("shjson2 !== shjson");
Cryptpad.errorLoadingScreen(Messages.wrongApp);
throw new Error();
// TODO(cjd): This is removed because the XSS filter in applyHjson()
// is applied on incoming content so it causes this to fail.
//Cryptpad.errorLoadingScreen(Messages.wrongApp);
//throw new Error();
}
}
} else {

Loading…
Cancel
Save