Add XSS prevention

closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘
2024-11-28 22:43:30 +03:00 · 2014-07-25 12:42:42 +02:00 · 2014-07-25 12:42:42 +02:00 · d40f545106
commit d40f545106
parent 3cb2a03170
4 changed files with 64 additions and 4 deletions
--- a/ghost/admin/helpers/gh-format-html.js
+++ b/ghost/admin/helpers/gh-format-html.js
@ -0,0 +1,18 @@
+/* global Handlebars, html_sanitize*/
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
+
+var formatHTML = Ember.Handlebars.makeBoundHelper(function (html) {
+    var escapedhtml = html || '';
+
+    // replace script and iFrame
+    escapedhtml = escapedhtml.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+        '<pre><code>Embedded JavaScript</code></pre>');
+    escapedhtml = escapedhtml.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
+        '<pre><code>Embedded IFrame</code></pre>');
+
+    // sanitize HTML
+    escapedhtml = html_sanitize(escapedhtml, cajaSanitizers.url, cajaSanitizers.id);
+    return new Handlebars.SafeString(escapedhtml);
+});
+
+export default formatHTML;
--- a/ghost/admin/helpers/gh-format-markdown.js
+++ b/ghost/admin/helpers/gh-format-markdown.js
@ -1,8 +1,21 @@
-/* global Showdown, Handlebars */
+/* global Showdown, Handlebars, html_sanitize*/
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
+
 var showdown = new Showdown.converter({extensions: ['ghostimagepreview', 'ghostgfm']});

 var formatMarkdown = Ember.Handlebars.makeBoundHelper(function (markdown) {
-    return new Handlebars.SafeString(showdown.makeHtml(markdown || ''));
+    var html = '';
+
+    // replace script and iFrame
+    markdown = markdown.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '```\nEmbedded JavaScript\n```');
+    markdown = markdown.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, '```\nEmbedded IFrame\n```');
+
+    // convert markdown to HTML
+    html = showdown.makeHtml(markdown || '');
+
+    // sanitize html
+    html = html_sanitize(html, cajaSanitizers.url, cajaSanitizers.id);
+    return new Handlebars.SafeString(html);
 });

 export default formatMarkdown;
--- a/ghost/admin/templates/posts/post.hbs
+++ b/ghost/admin/templates/posts/post.hbs
@ -2,7 +2,7 @@

 {{#view "content-preview-content-view" tagName="section"}}
    <div class="wrapper">
-        <h1>{{{title}}}</h1>
-        {{{html}}}
+        <h1>{{title}}</h1>
+        {{gh-format-html html}}
    </div>
 {{/view}}
--- a/ghost/admin/utils/caja-sanitizers.js
+++ b/ghost/admin/utils/caja-sanitizers.js
@ -0,0 +1,29 @@
+/**
+ * google-caja uses url() and id() to verify if the values are allowed.
+ */
+var url,
+    id;
+
+/**
+ * Check if URL is allowed
+ * URLs are allowed if they start with http://, https://, or /.
+ */
+var url = function (url) {
+	url = url.toString().replace(/['"]+/g, '');
+    if (/^https?:\/\//.test(url) || /^\//.test(url)) {
+        return url;
+    }
+};
+
+/**
+ * Check if ID is allowed
+ * All ids are allowed at the moment.
+ */
+var id = function (id) {
+    return id;
+};
+
+export default {
+    url: url,
+    id: id
+};