Merge branch 'master' of https://git.xwikisas.com/xwiki-labs/cryptpad
This commit is contained in:
ansuz
@@ -9,6 +9,12 @@ define(['/api/config'], function (ApiConfig) {
|
|||||||
window.alert('The bounce application must only be used with a valid href to visit');
|
window.alert('The bounce application must only be used with a valid href to visit');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (bounceTo.indexOf('javascript:') === 0 || // jshint ignore:line
|
||||||
|
bounceTo.indexOf('vbscript:') === 0 || // jshint ignore:line
|
||||||
|
bounceTo.indexOf('data:') === 0) {
|
||||||
|
window.alert('Illegal bounce URL');
|
||||||
|
return;
|
||||||
|
}
|
||||||
window.opener = null;
|
window.opener = null;
|
||||||
window.location.href = bounceTo;
|
window.location.href = bounceTo;
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -28,12 +28,17 @@ define([
|
|||||||
};
|
};
|
||||||
|
|
||||||
Marked.setOptions({
|
Marked.setOptions({
|
||||||
|
//sanitize: true, // Disable HTML
|
||||||
renderer: renderer,
|
renderer: renderer,
|
||||||
highlight: highlighter(),
|
highlight: highlighter(),
|
||||||
});
|
});
|
||||||
|
|
||||||
DiffMd.render = function (md) {
|
|
||||||
return Marked(md);
|
|
||||||
|
DiffMd.render = function (md, sanitize) {
|
||||||
|
return Marked(md, {
|
||||||
|
sanitize: sanitize
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
var mediaMap = {};
|
var mediaMap = {};
|
||||||
@@ -101,8 +106,9 @@ define([
|
|||||||
'IFRAME',
|
'IFRAME',
|
||||||
'OBJECT',
|
'OBJECT',
|
||||||
'APPLET',
|
'APPLET',
|
||||||
//'VIDEO', // privacy implications of videos are the same as images
|
'VIDEO', // privacy implications of videos are the same as images
|
||||||
//'AUDIO', // same with audio
|
'AUDIO', // same with audio
|
||||||
|
'SVG'
|
||||||
];
|
];
|
||||||
var unsafeTag = function (info) {
|
var unsafeTag = function (info) {
|
||||||
/*if (info.node && $(info.node).parents('media-tag').length) {
|
/*if (info.node && $(info.node).parents('media-tag').length) {
|
||||||
@@ -117,10 +123,10 @@ define([
|
|||||||
}
|
}
|
||||||
if (['addElement', 'replaceElement'].indexOf(info.diff.action) !== -1) {
|
if (['addElement', 'replaceElement'].indexOf(info.diff.action) !== -1) {
|
||||||
var msg = "Rejecting forbidden tag of type (%s)";
|
var msg = "Rejecting forbidden tag of type (%s)";
|
||||||
if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName) !== -1) {
|
if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName.toUpperCase()) !== -1) {
|
||||||
console.log(msg, info.diff.element.nodeName);
|
console.log(msg, info.diff.element.nodeName);
|
||||||
return true;
|
return true;
|
||||||
} else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName) !== -1) {
|
} else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName.toUpperCase()) !== -1) {
|
||||||
console.log("Replacing restricted element type (%s) with PRE", info.diff.newValue.nodeName);
|
console.log("Replacing restricted element type (%s) with PRE", info.diff.newValue.nodeName);
|
||||||
info.diff.newValue.nodeName = 'PRE';
|
info.diff.newValue.nodeName = 'PRE';
|
||||||
}
|
}
|
||||||
@@ -142,7 +148,7 @@ define([
|
|||||||
|
|
||||||
var removeForbiddenTags = function (root) {
|
var removeForbiddenTags = function (root) {
|
||||||
if (!root) { return; }
|
if (!root) { return; }
|
||||||
if (forbiddenTags.indexOf(root.nodeName) !== -1) { removeNode(root); }
|
if (forbiddenTags.indexOf(root.nodeName.toUpperCase()) !== -1) { removeNode(root); }
|
||||||
slice(root.children).forEach(removeForbiddenTags);
|
slice(root.children).forEach(removeForbiddenTags);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -4,9 +4,8 @@ define([
|
|||||||
'/common/common-util.js',
|
'/common/common-util.js',
|
||||||
'/common/common-interface.js',
|
'/common/common-interface.js',
|
||||||
'/common/hyperscript.js',
|
'/common/hyperscript.js',
|
||||||
'/bower_components/marked/marked.min.js',
|
'/common/diffMarked.js',
|
||||||
'/common/media-tag.js',
|
], function ($, Messages, Util, UI, h, DiffMd) {
|
||||||
], function ($, Messages, Util, UI, h, Marked, MediaTag) {
|
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
var debug = console.log;
|
var debug = console.log;
|
||||||
@@ -138,12 +137,14 @@ define([
|
|||||||
$(window).on('resize', onResize);
|
$(window).on('resize', onResize);
|
||||||
|
|
||||||
var m = function (md, hour) {
|
var m = function (md, hour) {
|
||||||
var d = h('div.cp-app-contacts-content');
|
var id = Util.createRandomInteger();
|
||||||
|
var d = h('div', {
|
||||||
|
id: 'msg-'+id
|
||||||
|
});
|
||||||
try {
|
try {
|
||||||
d.innerHTML = Marked(md || '');
|
|
||||||
var $d = $(d);
|
var $d = $(d);
|
||||||
// remove potentially malicious elements
|
DiffMd.apply(DiffMd.render(md || '', true), $d, common);
|
||||||
$d.find('script, iframe, object, applet, video, audio').remove();
|
$d.addClass("cp-app-contacts-content");
|
||||||
|
|
||||||
// override link clicking, because we're in an iframe
|
// override link clicking, because we're in an iframe
|
||||||
$d.find('a').each(function () {
|
$d.find('a').each(function () {
|
||||||
@@ -153,9 +154,6 @@ define([
|
|||||||
}).attr('href');
|
}).attr('href');
|
||||||
});
|
});
|
||||||
|
|
||||||
// activate media-tags
|
|
||||||
$d.find('media-tag').each(function (i, e) { MediaTag(e); });
|
|
||||||
|
|
||||||
var time = h('div.cp-app-contacts-time', hour);
|
var time = h('div.cp-app-contacts-time', hour);
|
||||||
$d.append(time);
|
$d.append(time);
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|||||||
Reference in New Issue
Block a user