fix todo list with XSS

2025-07-05 05:49:53 +08:00 · 2024-06-27 21:48:59 +08:00 · 2024-06-27 21:48:59 +08:00 · 44b5251045
commit 44b5251045
parent 743e63edbf
6 changed files with 31 additions and 7 deletions
--- a/src/data/extra/extra.qrc
+++ b/src/data/extra/extra.qrc
@ -51,7 +51,8 @@
        <file>web/js/markdown-it/markdown-it-texmath.js</file>
        <file>web/js/markdown-it/markdown-it-mark.min.js</file>
        <file>web/js/markdown-it/markdown-it-inject-linenumbers.js</file>
-        <file>web/js/markdown-it/markdown-it-xss.min.js</file>
+        <file>web/js/markdown-it/xss.min.js</file>
        <file>web/js/markdown-it/markdown-it-xss.js</file>
        <file>web/js/markdown-it/markdown-it-implicit-figure.js</file>
        <file>web/js/markdown-it/markdown-it.min.js</file>
        <file>web/js/markdownit.js</file>
--- a/src/data/extra/web/js/markdown-it/README.md
+++ b/src/data/extra/web/js/markdown-it/README.md
@ -36,9 +36,6 @@ Vitaly Puzrin
 v0.0.0
 Modified by Le Tan
 # [markdown-it-xss](https://github.com/yzyeengang/markdown-it-xss)
 v1.0.0
 # [markdonw-it-anchor](https://github.com/valeriangalliat/markdown-it-anchor)
 v6.0.1
--- a/src/data/extra/web/js/markdown-it/markdown-it-xss.js
+++ b/src/data/extra/web/js/markdown-it/markdown-it-xss.js
@ -0,0 +1,21 @@
 (function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.markdownItXSS = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
 'use strict';
 module.exports = function protect_xss(md, opts = {}) {
  const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options);
  const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy;
  function protectFromXSS(html) {
    return filterXSS(html, opts);
  }
  function filterContent(tokens, idx, options, env, slf) {
    tokens[idx].content = protectFromXSS(tokens[idx].content);
    return defaultHtmlInlineRenderer(tokens, idx, options, env, slf);
  }
  md.renderer.rules.html_inline = filterContent;
 };
 },{}]},{},[1])(1)
 });
--- a/src/data/extra/web/js/markdown-it/markdown-it-xss.min.js
+++ b/src/data/extra/web/js/markdown-it/markdown-it-xss.min.js
--- a/src/data/extra/web/js/markdown-it/xss.min.js
+++ b/src/data/extra/web/js/markdown-it/xss.min.js
--- a/src/data/extra/web/js/markdownit.js
+++ b/src/data/extra/web/js/markdownit.js
@ -208,9 +208,14 @@ class MarkdownIt extends VxWorker {
        if (window.vxOptions.protectFromXss) {
            let scriptFolderPath = Utils.parentFolder(document.currentScript.src);
-            Utils.loadScripts([scriptFolderPath + '/markdown-it/markdown-it-xss.min.js'],
+            Utils.loadScripts([scriptFolderPath + '/markdown-it/xss.min.js',
                               scriptFolderPath + '/markdown-it/markdown-it-xss.js'],
                              () => {
-                                  this.mdit.use(window['markdown-it-xss']);
+                                  this.mdit.use(window.markdownItXSS, {
                                      whiteList: {
                                          input: ["class", "disabled", "type", "checked"],
                                      }
                                  });
                              });
        }