mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-05-13 14:44:43 -04:00
Use JavaScript Standard Style (part 2)
Fixed all fail on frontend code.
This commit is contained in:
BoHong Li
parent
4889e9732d
commit
5bc642d02e
19 changed files with 6790 additions and 7032 deletions
|
|
@ -1,62 +1,64 @@
|
|||
/* eslint-env browser, jquery */
|
||||
/* global filterXSS */
|
||||
// allow some attributes
|
||||
var whiteListAttr = ['id', 'class', 'style'];
|
||||
window.whiteListAttr = whiteListAttr;
|
||||
var whiteListAttr = ['id', 'class', 'style']
|
||||
window.whiteListAttr = whiteListAttr
|
||||
// allow link starts with '.', '/' and custom protocol with '://'
|
||||
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
|
||||
var linkRegex = /^([\w|-]+:\/\/)|^([.|/])+/
|
||||
// allow data uri, from https://gist.github.com/bgrins/6194623
|
||||
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i;
|
||||
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
|
||||
// custom white list
|
||||
var whiteList = filterXSS.whiteList;
|
||||
var whiteList = filterXSS.whiteList
|
||||
// allow ol specify start number
|
||||
whiteList['ol'] = ['start'];
|
||||
whiteList['ol'] = ['start']
|
||||
// allow li specify value number
|
||||
whiteList['li'] = ['value'];
|
||||
whiteList['li'] = ['value']
|
||||
// allow style tag
|
||||
whiteList['style'] = [];
|
||||
whiteList['style'] = []
|
||||
// allow kbd tag
|
||||
whiteList['kbd'] = [];
|
||||
whiteList['kbd'] = []
|
||||
// allow ifram tag with some safe attributes
|
||||
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'];
|
||||
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height']
|
||||
// allow summary tag
|
||||
whiteList['summary'] = [];
|
||||
whiteList['summary'] = []
|
||||
|
||||
var filterXSSOptions = {
|
||||
allowCommentTag: true,
|
||||
whiteList: whiteList,
|
||||
escapeHtml: function (html) {
|
||||
allowCommentTag: true,
|
||||
whiteList: whiteList,
|
||||
escapeHtml: function (html) {
|
||||
// allow html comment in multiple lines
|
||||
return html.replace(/<(.*?)>/g, '<$1>');
|
||||
},
|
||||
onIgnoreTag: function (tag, html, options) {
|
||||
return html.replace(/<(.*?)>/g, '<$1>')
|
||||
},
|
||||
onIgnoreTag: function (tag, html, options) {
|
||||
// allow comment tag
|
||||
if (tag == "!--") {
|
||||
if (tag === '!--') {
|
||||
// do not filter its attributes
|
||||
return html;
|
||||
}
|
||||
},
|
||||
onTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow href and src that match linkRegex
|
||||
if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
// allow data uri in img src
|
||||
if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) {
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
},
|
||||
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow attr start with 'data-' or in the whiteListAttr
|
||||
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
|
||||
// escape its value using built-in escapeAttrValue function
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
return html
|
||||
}
|
||||
};
|
||||
|
||||
function preventXSS(html) {
|
||||
return filterXSS(html, filterXSSOptions);
|
||||
},
|
||||
onTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow href and src that match linkRegex
|
||||
if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"'
|
||||
}
|
||||
// allow data uri in img src
|
||||
if (isWhiteAttr && (tag === 'img' && name === 'src') && dataUriRegex.test(value)) {
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"'
|
||||
}
|
||||
},
|
||||
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow attr start with 'data-' or in the whiteListAttr
|
||||
if (name.substr(0, 5) === 'data-' || window.whiteListAttr.indexOf(name) !== -1) {
|
||||
// escape its value using built-in escapeAttrValue function
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"'
|
||||
}
|
||||
}
|
||||
}
|
||||
window.preventXSS = preventXSS;
|
||||
|
||||
function preventXSS (html) {
|
||||
return filterXSS(html, filterXSSOptions)
|
||||
}
|
||||
window.preventXSS = preventXSS
|
||||
|
||||
module.exports = {
|
||||
preventXSS: preventXSS
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue