add security level antiscript option, to let use rich html format but remove all script element.
This commit is contained in:
parent
5242672efb
commit
fce2a16e42
|
@ -77,11 +77,12 @@ const config = {
|
||||||
/**
|
/**
|
||||||
*| Parameter | Description |Type | Required | Values|
|
*| Parameter | Description |Type | Required | Values|
|
||||||
*| --- | --- | --- | --- | --- |
|
*| --- | --- | --- | --- | --- |
|
||||||
*| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose |
|
*| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
|
||||||
*
|
*
|
||||||
***Notes:
|
***Notes:
|
||||||
*- **strict**: (**default**) tags in text are encoded, click functionality is disabeled
|
*- **strict**: (**default**) tags in text are encoded, click functionality is disabeled
|
||||||
*- **loose**: tags in text are allowed, click functionality is enabled
|
*- **loose**: tags in text are allowed, click functionality is enabled
|
||||||
|
*- **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
|
||||||
*/
|
*/
|
||||||
securityLevel: 'strict',
|
securityLevel: 'strict',
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,30 @@ export const getRows = s => {
|
||||||
return str.split('#br#');
|
return str.split('#br#');
|
||||||
};
|
};
|
||||||
|
|
||||||
|
export const removeScript = txt => {
|
||||||
|
var rs = '';
|
||||||
|
var idx = 0;
|
||||||
|
|
||||||
|
while (idx >= 0) {
|
||||||
|
idx = txt.indexOf('<script');
|
||||||
|
if (idx >= 0) {
|
||||||
|
rs += txt.substr(0, idx);
|
||||||
|
txt = txt.substr(idx + 1);
|
||||||
|
|
||||||
|
idx = txt.indexOf('</script>');
|
||||||
|
if (idx >= 0) {
|
||||||
|
idx += 9;
|
||||||
|
txt = txt.substr(idx);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
rs += txt;
|
||||||
|
idx = -1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return rs;
|
||||||
|
};
|
||||||
|
|
||||||
export const sanitizeText = (text, config) => {
|
export const sanitizeText = (text, config) => {
|
||||||
let txt = text;
|
let txt = text;
|
||||||
let htmlLabels = true;
|
let htmlLabels = true;
|
||||||
|
@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => {
|
||||||
)
|
)
|
||||||
htmlLabels = false;
|
htmlLabels = false;
|
||||||
|
|
||||||
if (config.securityLevel !== 'loose' && htmlLabels) {
|
if (htmlLabels) {
|
||||||
// eslint-disable-line
|
var level = config.securityLevel;
|
||||||
txt = breakToPlaceholder(txt);
|
|
||||||
txt = txt.replace(/</g, '<').replace(/>/g, '>');
|
if (level == 'antiscript') {
|
||||||
txt = txt.replace(/=/g, '=');
|
txt = removeScript(txt);
|
||||||
txt = placeholderToBreak(txt);
|
} else if (level !== 'loose') {
|
||||||
|
// eslint-disable-line
|
||||||
|
txt = breakToPlaceholder(txt);
|
||||||
|
txt = txt.replace(/</g, '<').replace(/>/g, '>');
|
||||||
|
txt = txt.replace(/=/g, '=');
|
||||||
|
txt = placeholderToBreak(txt);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return txt;
|
return txt;
|
||||||
|
@ -48,5 +78,6 @@ export default {
|
||||||
sanitizeText,
|
sanitizeText,
|
||||||
hasBreaks,
|
hasBreaks,
|
||||||
splitBreaks,
|
splitBreaks,
|
||||||
lineBreakRegex
|
lineBreakRegex,
|
||||||
|
removeScript
|
||||||
};
|
};
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
import { removeScript } from './common';
|
||||||
|
|
||||||
|
describe('when securityLevel is antiscript, all script must be removed', function() {
|
||||||
|
it('should remove all script block, script inline.', function() {
|
||||||
|
const labelString = `1
|
||||||
|
Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
|
||||||
|
<b>Act2</b>:
|
||||||
|
1<script>
|
||||||
|
alert('script run......');
|
||||||
|
</script>1
|
||||||
|
1`;
|
||||||
|
|
||||||
|
const result = removeScript(labelString);
|
||||||
|
const hasScript = (result.indexOf("script") >= 0);
|
||||||
|
expect(hasScript).toEqual(false);
|
||||||
|
|
||||||
|
const exactlyString = `1
|
||||||
|
Act1: Hello 11
|
||||||
|
<b>Act2</b>:
|
||||||
|
11
|
||||||
|
1`;
|
||||||
|
|
||||||
|
const isEqual = (result == exactlyString);
|
||||||
|
expect(isEqual).toEqual(true);
|
||||||
|
});
|
||||||
|
});
|
Loading…
Reference in New Issue