Merge pull request #1471 from vantoan8x/securityLevel_antiscript_option

add security level antiscript option, use rich html format but dont permit script element.
2020-07-12 10:58:08 +02:00 · 2020-07-12 10:58:08 +02:00 · e93a0556e7
parent 12668b78b9 fce2a16e42
commit e93a0556e7
3 changed files with 66 additions and 8 deletions
--- a/src/config.js
+++ b/src/config.js
@ -77,11 +77,12 @@ const config = {
  /**
   *| Parameter | Description |Type | Required | Values|
   *| --- | --- | --- | --- | --- |
-   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose |
+   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
   *
   ***Notes:
   *-   **strict**: (**default**) tags in text are encoded, click functionality is disabeled
   *-   **loose**: tags in text are allowed, click functionality is enabled
+   *-   **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
   */
  securityLevel: 'strict',

--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@ -5,6 +5,30 @@ export const getRows = s => {
  return str.split('#br#');
 };

+export const removeScript = txt => {
+  var rs = '';
+  var idx = 0;
+
+  while (idx >= 0) {
+    idx = txt.indexOf('<script');
+    if (idx >= 0) {
+      rs += txt.substr(0, idx);
+      txt = txt.substr(idx + 1);
+
+      idx = txt.indexOf('</script>');
+      if (idx >= 0) {
+        idx += 9;
+        txt = txt.substr(idx);
+      }
+    } else {
+      rs += txt;
+      idx = -1;
+      break;
+    }
+  }
+  return rs;
+};
+
 export const sanitizeText = (text, config) => {
  let txt = text;
  let htmlLabels = true;
@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => {
  )
    htmlLabels = false;

-  if (config.securityLevel !== 'loose' && htmlLabels) {
-    // eslint-disable-line
-    txt = breakToPlaceholder(txt);
-    txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    txt = txt.replace(/=/g, '&equals;');
-    txt = placeholderToBreak(txt);
+  if (htmlLabels) {
+    var level = config.securityLevel;
+
+    if (level == 'antiscript') {
+      txt = removeScript(txt);
+    } else if (level !== 'loose') {
+      // eslint-disable-line
+      txt = breakToPlaceholder(txt);
+      txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+      txt = txt.replace(/=/g, '&equals;');
+      txt = placeholderToBreak(txt);
+    }
  }

  return txt;
@ -48,5 +78,6 @@ export default {
  sanitizeText,
  hasBreaks,
  splitBreaks,
-  lineBreakRegex
+  lineBreakRegex,
+  removeScript
 };
--- a/src/diagrams/common/common.spec.js
+++ b/src/diagrams/common/common.spec.js
@ -0,0 +1,26 @@
+import { removeScript } from './common';
+
+describe('when securityLevel is antiscript, all script must be removed', function() {
+  it('should remove all script block, script inline.', function() {
+    const labelString = `1
+		Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
+		<b>Act2</b>:
+		1<script>
+			alert('script run......');
+		</script>1
+	1`;
+
+	const result = removeScript(labelString);
+	const hasScript = (result.indexOf("script") >= 0);
+    expect(hasScript).toEqual(false);
+
+	const exactlyString = `1
+		Act1: Hello 11
+		<b>Act2</b>:
+		11
+	1`;
+
+	const isEqual = (result == exactlyString);
+    expect(isEqual).toEqual(true);
+  });
+});