From f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 Mon Sep 17 00:00:00 2001 From: Le Tan Date: Mon, 22 Jul 2024 22:36:38 +0800 Subject: [PATCH] fix xss (#2531) --- .../extra/web/js/markdown-it/markdown-it-xss.js | 13 ++++++++++--- src/data/extra/web/js/markdownit.js | 7 ------- .../framelessmainwindow/framelessmainwindowwin.h | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/data/extra/web/js/markdown-it/markdown-it-xss.js b/src/data/extra/web/js/markdown-it/markdown-it-xss.js index 48cafa4d4e..9838582d0f 100644 --- a/src/data/extra/web/js/markdown-it/markdown-it-xss.js +++ b/src/data/extra/web/js/markdown-it/markdown-it-xss.js @@ -4,17 +4,24 @@ module.exports = function protect_xss(md, opts = {}) { const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options); const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy; + const defaultHtmlBlockRenderer = md.renderer.rules.html_block || proxy; + opts.whiteList = {...window.filterXSS.getDefaultWhiteList(), ...opts.whiteList}; + // Do not escape value when it is a tag and attr in the whitelist. + opts.safeAttrValue = (tag, name, value, cssFilter) => { return value; } function protectFromXSS(html) { return filterXSS(html, opts); } - function filterContent(tokens, idx, options, env, slf) { + function filterContent(tokens, idx, options, env, slf, fallback) { tokens[idx].content = protectFromXSS(tokens[idx].content); - return defaultHtmlInlineRenderer(tokens, idx, options, env, slf); + return fallback(tokens, idx, options, env, slf); } - md.renderer.rules.html_inline = filterContent; + md.renderer.rules.html_inline = (tokens, idx, options, env, slf) => + filterContent(tokens, idx, options, env, slf, defaultHtmlInlineRenderer); + md.renderer.rules.html_block = (tokens, idx, options, env, slf) => + filterContent(tokens, idx, options, env, slf, defaultHtmlBlockRenderer); }; },{}]},{},[1])(1) diff --git a/src/data/extra/web/js/markdownit.js b/src/data/extra/web/js/markdownit.js index 2367b2103c..93327b3f09 100644 --- a/src/data/extra/web/js/markdownit.js +++ b/src/data/extra/web/js/markdownit.js @@ -214,13 +214,6 @@ class MarkdownIt extends VxWorker { this.mdit.use(window.markdownItXSS, { whiteList: { input: ["style", "class", "disabled", "type", "checked"], - mark: ["style", "class"], - font: ["style", "color", "class"], - sub: ["style", "class"], - sup: ["style", "class"], - details: ["style", "class"], - summary: ["style", "class"], - ins: ["style", "class"], span: ["style", "class"], } }); diff --git a/src/widgets/framelessmainwindow/framelessmainwindowwin.h b/src/widgets/framelessmainwindow/framelessmainwindowwin.h index 9ddd69a2f5..c2ce3e8e1d 100644 --- a/src/widgets/framelessmainwindow/framelessmainwindowwin.h +++ b/src/widgets/framelessmainwindow/framelessmainwindowwin.h @@ -14,9 +14,9 @@ namespace vnotex protected: #if (QT_VERSION >= QT_VERSION_CHECK(6,0,0)) - bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result); + bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result) Q_DECL_OVERRIDE; #else - bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result); + bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result) Q_DECL_OVERRIDE; #endif void moveEvent(QMoveEvent *p_event) Q_DECL_OVERRIDE;