Skip to content

Commit

Permalink
fix xss (#2531)
Browse files Browse the repository at this point in the history
  • Loading branch information
tamlok authored Jul 22, 2024
1 parent a7600fa commit f1af785
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 12 deletions.
13 changes: 10 additions & 3 deletions src/data/extra/web/js/markdown-it/markdown-it-xss.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,24 @@
module.exports = function protect_xss(md, opts = {}) {
const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options);
const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy;
const defaultHtmlBlockRenderer = md.renderer.rules.html_block || proxy;
opts.whiteList = {...window.filterXSS.getDefaultWhiteList(), ...opts.whiteList};
// Do not escape value when it is a tag and attr in the whitelist.
opts.safeAttrValue = (tag, name, value, cssFilter) => { return value; }

function protectFromXSS(html) {
return filterXSS(html, opts);
}

function filterContent(tokens, idx, options, env, slf) {
function filterContent(tokens, idx, options, env, slf, fallback) {
tokens[idx].content = protectFromXSS(tokens[idx].content);
return defaultHtmlInlineRenderer(tokens, idx, options, env, slf);
return fallback(tokens, idx, options, env, slf);
}

md.renderer.rules.html_inline = filterContent;
md.renderer.rules.html_inline = (tokens, idx, options, env, slf) =>
filterContent(tokens, idx, options, env, slf, defaultHtmlInlineRenderer);
md.renderer.rules.html_block = (tokens, idx, options, env, slf) =>
filterContent(tokens, idx, options, env, slf, defaultHtmlBlockRenderer);
};

},{}]},{},[1])(1)
Expand Down
7 changes: 0 additions & 7 deletions src/data/extra/web/js/markdownit.js
Original file line number Diff line number Diff line change
Expand Up @@ -214,13 +214,6 @@ class MarkdownIt extends VxWorker {
this.mdit.use(window.markdownItXSS, {
whiteList: {
input: ["style", "class", "disabled", "type", "checked"],
mark: ["style", "class"],
font: ["style", "color", "class"],
sub: ["style", "class"],
sup: ["style", "class"],
details: ["style", "class"],
summary: ["style", "class"],
ins: ["style", "class"],
span: ["style", "class"],
}
});
Expand Down
4 changes: 2 additions & 2 deletions src/widgets/framelessmainwindow/framelessmainwindowwin.h
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ namespace vnotex

protected:
#if (QT_VERSION >= QT_VERSION_CHECK(6,0,0))
bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result);
bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result) Q_DECL_OVERRIDE;
#else
bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result);
bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result) Q_DECL_OVERRIDE;
#endif

void moveEvent(QMoveEvent *p_event) Q_DECL_OVERRIDE;
Expand Down

0 comments on commit f1af785

Please sign in to comment.