dawy_go/vnote
1
0
Fork 0
mirror of https://gitee.com/vnotex/vnote.git synced 2025-07-05 05:49:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix xss (#2531)

Browse Source
This commit is contained in:
Le Tan 2024-07-22 22:36:38 +08:00 committed by GitHub
parent a7600fa7f7
commit f1af78573a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/data/extra/web/js/markdown-it/markdown-it-xss.js
View File

@ -4,17 +4,24 @@
module.exports = function protect_xss(md, opts = {}) { module.exports = function protect_xss(md, opts = {}) {
const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options); const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options);
const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy; const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy;
const defaultHtmlBlockRenderer = md.renderer.rules.html_block || proxy;
opts.whiteList = {...window.filterXSS.getDefaultWhiteList(), ...opts.whiteList};
// Do not escape value when it is a tag and attr in the whitelist.
opts.safeAttrValue = (tag, name, value, cssFilter) => { return value; }
function protectFromXSS(html) { function protectFromXSS(html) {
return filterXSS(html, opts); return filterXSS(html, opts);
} }
function filterContent(tokens, idx, options, env, slf) { function filterContent(tokens, idx, options, env, slf, fallback) {
tokens[idx].content = protectFromXSS(tokens[idx].content); tokens[idx].content = protectFromXSS(tokens[idx].content);
return defaultHtmlInlineRenderer(tokens, idx, options, env, slf); return fallback(tokens, idx, options, env, slf);
} }
md.renderer.rules.html_inline = filterContent; md.renderer.rules.html_inline = (tokens, idx, options, env, slf) =>
filterContent(tokens, idx, options, env, slf, defaultHtmlInlineRenderer);
md.renderer.rules.html_block = (tokens, idx, options, env, slf) =>
filterContent(tokens, idx, options, env, slf, defaultHtmlBlockRenderer);
}; };
},{}]},{},[1])(1) },{}]},{},[1])(1)

7
src/data/extra/web/js/markdownit.js
View File

@ -214,13 +214,6 @@ class MarkdownIt extends VxWorker {
this.mdit.use(window.markdownItXSS, { this.mdit.use(window.markdownItXSS, {
whiteList: { whiteList: {
input: ["style", "class", "disabled", "type", "checked"], input: ["style", "class", "disabled", "type", "checked"],
mark: ["style", "class"],
font: ["style", "color", "class"],
sub: ["style", "class"],
sup: ["style", "class"],
details: ["style", "class"],
summary: ["style", "class"],
ins: ["style", "class"],
span: ["style", "class"], span: ["style", "class"],
} }
}); });

4
src/widgets/framelessmainwindow/framelessmainwindowwin.h
View File

@ -14,9 +14,9 @@ namespace vnotex
protected: protected:
#if (QT_VERSION >= QT_VERSION_CHECK(6,0,0)) #if (QT_VERSION >= QT_VERSION_CHECK(6,0,0))
bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result); bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result) Q_DECL_OVERRIDE;
#else #else
bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result); bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result) Q_DECL_OVERRIDE;
#endif #endif
void moveEvent(QMoveEvent *p_event) Q_DECL_OVERRIDE; void moveEvent(QMoveEvent *p_event) Q_DECL_OVERRIDE;