From b0b1ed037c52e1171f4514655182e7e65f4efd12 Mon Sep 17 00:00:00 2001
From: Caleb James DeLisle <cjd@cjdns.fr>
Date: Wed, 16 Aug 2017 10:19:24 +0200
Subject: [PATCH] Add a filter to catch XSS-like entities and also stub a
 on-load test which would otherwise make pads inaccessable.

---
 www/pad/main.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/www/pad/main.js b/www/pad/main.js
index d47c207e7..817607ded 100644
--- a/www/pad/main.js
+++ b/www/pad/main.js
@@ -313,6 +313,10 @@ define([
                 if (!readOnly && !initializing) {
                     userDocStateDom.setAttribute("contenteditable", "true"); // lol wtf
                 }
+                $(userDocStateDom).find('script, applet, object, iframe').remove();
+                $(userDocStateDom).find('a').filter(function (i, x) {
+                    return ! /^(https|http|ftp):\/\/[^\s\n]*$/.test(x.getAttribute('href'));
+                }).remove();
                 var patch = (DD).diff(inner, userDocStateDom);
                 (DD).apply(inner, patch);
                 if (readOnly) {
@@ -625,8 +629,10 @@ define([
                         if (stringify(hjson2) !== stringify(hjson)) {
                             console.log('err');
                             console.error("shjson2 !== shjson");
-                            Cryptpad.errorLoadingScreen(Messages.wrongApp);
-                            throw new Error();
+                            // TODO(cjd): This is removed because the XSS filter in applyHjson()
+                            //            is applied on incoming content so it causes this to fail.
+                            //Cryptpad.errorLoadingScreen(Messages.wrongApp);
+                            //throw new Error();
                         }
                     }
                 } else {