chore: fix a few security vulnerabilities
This commit is contained in:
parent
a62d53e9a7
commit
dc53699a96
|
@ -326,7 +326,7 @@ const setupToolTips = function (element) {
|
||||||
|
|
||||||
tooltipElem.transition().duration(200).style('opacity', '.9');
|
tooltipElem.transition().duration(200).style('opacity', '.9');
|
||||||
tooltipElem
|
tooltipElem
|
||||||
.html(el.attr('title'))
|
.text(el.attr('title'))
|
||||||
.style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
|
.style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
|
||||||
.style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
|
.style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
|
||||||
el.classed('hover', true);
|
el.classed('hover', true);
|
||||||
|
|
|
@ -57,11 +57,11 @@ export const removeScript = (txt) => {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
let decodedText = removeEscapes(rs);
|
let decodedText = removeEscapes(rs);
|
||||||
decodedText = decodedText.replace(/script>/gi, '#');
|
decodedText = decodedText.replaceAll(/script>/gi, '#');
|
||||||
decodedText = decodedText.replace(/javascript:/gi, '#');
|
decodedText = decodedText.replaceAll(/javascript:/gi, '#');
|
||||||
decodedText = decodedText.replace(/javascript&colon/gi, '#');
|
decodedText = decodedText.replaceAll(/javascript&colon/gi, '#');
|
||||||
decodedText = decodedText.replace(/onerror=/gi, 'onerror:');
|
decodedText = decodedText.replaceAll(/onerror=/gi, 'onerror:');
|
||||||
decodedText = decodedText.replace(/<iframe/gi, '');
|
decodedText = decodedText.replaceAll(/<iframe/gi, '');
|
||||||
return decodedText;
|
return decodedText;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,14 @@
|
||||||
import { sanitizeText, removeScript, removeEscapes } from './common';
|
import { sanitizeText, removeScript, removeEscapes } from './common';
|
||||||
|
|
||||||
describe('when securityLevel is antiscript, all script must be removed', function () {
|
describe('when securityLevel is antiscript, all script must be removed', function () {
|
||||||
|
/**
|
||||||
|
* @param {string} original The original text
|
||||||
|
* @param {string} result The expected sanitized text
|
||||||
|
*/
|
||||||
|
function compareRemoveScript(original, result) {
|
||||||
|
expect(removeScript(original)).toEqual(result);
|
||||||
|
}
|
||||||
|
|
||||||
it('should remove all script block, script inline.', function () {
|
it('should remove all script block, script inline.', function () {
|
||||||
const labelString = `1
|
const labelString = `1
|
||||||
Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
|
Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
|
||||||
|
@ -9,19 +17,34 @@ describe('when securityLevel is antiscript, all script must be removed', functio
|
||||||
alert('script run......');
|
alert('script run......');
|
||||||
</script>1
|
</script>1
|
||||||
1`;
|
1`;
|
||||||
|
|
||||||
const result = removeScript(labelString);
|
|
||||||
const hasScript = result.indexOf('script') >= 0;
|
|
||||||
expect(hasScript).toEqual(false);
|
|
||||||
|
|
||||||
const exactlyString = `1
|
const exactlyString = `1
|
||||||
Act1: Hello 11
|
Act1: Hello 11
|
||||||
<b>Act2</b>:
|
<b>Act2</b>:
|
||||||
11
|
11
|
||||||
1`;
|
1`;
|
||||||
|
compareRemoveScript(labelString, exactlyString);
|
||||||
|
});
|
||||||
|
|
||||||
const isEqual = result == exactlyString;
|
it('should remove all javascript urls', function () {
|
||||||
expect(isEqual).toEqual(true);
|
compareRemoveScript(
|
||||||
|
`This is a <a href="javascript:runHijackingScript();">clean link</a> + <a href="javascript:runHijackingScript();">clean link</a>
|
||||||
|
and <a href="javascript:bipassedMining();">me too</a>`,
|
||||||
|
`This is a <a href="#runHijackingScript();">clean link</a> + <a href="#runHijackingScript();">clean link</a>
|
||||||
|
and <a href="#;bipassedMining();">me too</a>`
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should detect malicious images', function () {
|
||||||
|
compareRemoveScript(`<img onerror="alert('hello');">`, `<img onerror:"alert('hello');">`);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should detect iframes', function () {
|
||||||
|
compareRemoveScript(
|
||||||
|
`<iframe src="http://abc.com/script1.js"></iframe>
|
||||||
|
<iframe src="http://example.com/iframeexample"></iframe>`,
|
||||||
|
` src="http://abc.com/script1.js"></iframe>
|
||||||
|
src="http://example.com/iframeexample"></iframe>`
|
||||||
|
);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -417,7 +417,7 @@ const setupToolTips = function (element) {
|
||||||
|
|
||||||
tooltipElem.transition().duration(200).style('opacity', '.9');
|
tooltipElem.transition().duration(200).style('opacity', '.9');
|
||||||
tooltipElem
|
tooltipElem
|
||||||
.html(el.attr('title'))
|
.text(el.attr('title'))
|
||||||
.style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
|
.style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
|
||||||
.style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
|
.style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
|
||||||
el.classed('hover', true);
|
el.classed('hover', true);
|
||||||
|
|
Loading…
Reference in New Issue