web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add a filter to catch XSS-like entities and also stub a on-load test which would otherwise make pads inaccessable.

Browse Source
This commit is contained in:
Caleb James DeLisle
2017-08-16 10:19:24 +02:00
parent 638a94785f
commit b0b1ed037c
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
www/pad/main.js
View File

@@ -313,6 +313,10 @@ define([
if (!readOnly && !initializing) {
userDocStateDom.setAttribute("contenteditable", "true"); // lol wtf
}
$(userDocStateDom).find('script, applet, object, iframe').remove();
$(userDocStateDom).find('a').filter(function (i, x) {
return ! /^(https|http|ftp):\/\/[^\s\n]*$/.test(x.getAttribute('href'));
}).remove();
var patch = (DD).diff(inner, userDocStateDom);
(DD).apply(inner, patch);
if (readOnly) {
@@ -625,8 +629,10 @@ define([
if (stringify(hjson2) !== stringify(hjson)) {
console.log('err');
console.error("shjson2 !== shjson");
Cryptpad.errorLoadingScreen(Messages.wrongApp);
throw new Error();
// TODO(cjd): This is removed because the XSS filter in applyHjson()
// is applied on incoming content so it causes this to fail.
//Cryptpad.errorLoadingScreen(Messages.wrongApp);
//throw new Error();
}
}
} else {