add security level antiscript option, to let use rich html format but remove all script element.
This commit is contained in:
parent
5242672efb
commit
fce2a16e42
|
@ -77,11 +77,12 @@ const config = {
|
|||
/**
|
||||
*| Parameter | Description |Type | Required | Values|
|
||||
*| --- | --- | --- | --- | --- |
|
||||
*| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose |
|
||||
*| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
|
||||
*
|
||||
***Notes:
|
||||
*- **strict**: (**default**) tags in text are encoded, click functionality is disabeled
|
||||
*- **loose**: tags in text are allowed, click functionality is enabled
|
||||
*- **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
|
||||
*/
|
||||
securityLevel: 'strict',
|
||||
|
||||
|
|
|
@ -5,6 +5,30 @@ export const getRows = s => {
|
|||
return str.split('#br#');
|
||||
};
|
||||
|
||||
export const removeScript = txt => {
|
||||
var rs = '';
|
||||
var idx = 0;
|
||||
|
||||
while (idx >= 0) {
|
||||
idx = txt.indexOf('<script');
|
||||
if (idx >= 0) {
|
||||
rs += txt.substr(0, idx);
|
||||
txt = txt.substr(idx + 1);
|
||||
|
||||
idx = txt.indexOf('</script>');
|
||||
if (idx >= 0) {
|
||||
idx += 9;
|
||||
txt = txt.substr(idx);
|
||||
}
|
||||
} else {
|
||||
rs += txt;
|
||||
idx = -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
return rs;
|
||||
};
|
||||
|
||||
export const sanitizeText = (text, config) => {
|
||||
let txt = text;
|
||||
let htmlLabels = true;
|
||||
|
@ -14,13 +38,19 @@ export const sanitizeText = (text, config) => {
|
|||
)
|
||||
htmlLabels = false;
|
||||
|
||||
if (config.securityLevel !== 'loose' && htmlLabels) {
|
||||
if (htmlLabels) {
|
||||
var level = config.securityLevel;
|
||||
|
||||
if (level == 'antiscript') {
|
||||
txt = removeScript(txt);
|
||||
} else if (level !== 'loose') {
|
||||
// eslint-disable-line
|
||||
txt = breakToPlaceholder(txt);
|
||||
txt = txt.replace(/</g, '<').replace(/>/g, '>');
|
||||
txt = txt.replace(/=/g, '=');
|
||||
txt = placeholderToBreak(txt);
|
||||
}
|
||||
}
|
||||
|
||||
return txt;
|
||||
};
|
||||
|
@ -48,5 +78,6 @@ export default {
|
|||
sanitizeText,
|
||||
hasBreaks,
|
||||
splitBreaks,
|
||||
lineBreakRegex
|
||||
lineBreakRegex,
|
||||
removeScript
|
||||
};
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
import { removeScript } from './common';
|
||||
|
||||
describe('when securityLevel is antiscript, all script must be removed', function() {
|
||||
it('should remove all script block, script inline.', function() {
|
||||
const labelString = `1
|
||||
Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
|
||||
<b>Act2</b>:
|
||||
1<script>
|
||||
alert('script run......');
|
||||
</script>1
|
||||
1`;
|
||||
|
||||
const result = removeScript(labelString);
|
||||
const hasScript = (result.indexOf("script") >= 0);
|
||||
expect(hasScript).toEqual(false);
|
||||
|
||||
const exactlyString = `1
|
||||
Act1: Hello 11
|
||||
<b>Act2</b>:
|
||||
11
|
||||
1`;
|
||||
|
||||
const isEqual = (result == exactlyString);
|
||||
expect(isEqual).toEqual(true);
|
||||
});
|
||||
});
|
Loading…
Reference in New Issue