fix xss (#2531)

2025-07-04 21:39:52 +08:00 · 2024-07-22 22:36:38 +08:00 · 2024-07-22 22:36:38 +08:00 · f1af78573a
commit f1af78573a
parent a7600fa7f7
3 changed files with 12 additions and 12 deletions
--- a/src/data/extra/web/js/markdown-it/markdown-it-xss.js
+++ b/src/data/extra/web/js/markdown-it/markdown-it-xss.js
@ -4,17 +4,24 @@
 module.exports = function protect_xss(md, opts = {}) {
  const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options);
  const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy;
+  const defaultHtmlBlockRenderer = md.renderer.rules.html_block || proxy;
+  opts.whiteList = {...window.filterXSS.getDefaultWhiteList(), ...opts.whiteList};
+  // Do not escape value when it is a tag and attr in the whitelist.
+  opts.safeAttrValue = (tag, name, value, cssFilter) => { return value; }

  function protectFromXSS(html) {
    return filterXSS(html, opts);
  }

-  function filterContent(tokens, idx, options, env, slf) {
+  function filterContent(tokens, idx, options, env, slf, fallback) {
    tokens[idx].content = protectFromXSS(tokens[idx].content);
-    return defaultHtmlInlineRenderer(tokens, idx, options, env, slf);
+    return fallback(tokens, idx, options, env, slf);
  }

-  md.renderer.rules.html_inline = filterContent;
+  md.renderer.rules.html_inline = (tokens, idx, options, env, slf) =>
+    filterContent(tokens, idx, options, env, slf, defaultHtmlInlineRenderer);
+  md.renderer.rules.html_block = (tokens, idx, options, env, slf) =>
+    filterContent(tokens, idx, options, env, slf, defaultHtmlBlockRenderer);
 };

 },{}]},{},[1])(1)
--- a/src/data/extra/web/js/markdownit.js
+++ b/src/data/extra/web/js/markdownit.js
@ -214,13 +214,6 @@ class MarkdownIt extends VxWorker {
                                  this.mdit.use(window.markdownItXSS, {
                                      whiteList: {
                                          input: ["style", "class", "disabled", "type", "checked"],
-                                          mark: ["style", "class"],
-                                          font: ["style", "color", "class"],
-                                          sub: ["style", "class"],
-                                          sup: ["style", "class"],
-                                          details: ["style", "class"],
-                                          summary: ["style", "class"],
-                                          ins: ["style", "class"],
                                          span: ["style", "class"],
                                      }
                                  });
--- a/src/widgets/framelessmainwindow/framelessmainwindowwin.h
+++ b/src/widgets/framelessmainwindow/framelessmainwindowwin.h
@ -14,9 +14,9 @@ namespace vnotex

    protected:
 #if (QT_VERSION >= QT_VERSION_CHECK(6,0,0))
-        bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result);
+        bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result) Q_DECL_OVERRIDE;
 #else
-        bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result);
+        bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result) Q_DECL_OVERRIDE;
 #endif

        void moveEvent(QMoveEvent *p_event) Q_DECL_OVERRIDE;