TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-11-28 22:43:30 +03:00
Code Issues Projects Releases Wiki Activity

Add XSS prevention

Browse Source 
closes #3387
- added placeholder for <script> and <iframe>
- added google-caja sanitizer
- changed title in posts overview to ‚double-stash‘
This commit is contained in:
Sebastian Gierlinger 2014-07-25 12:42:42 +02:00
parent 3cb2a03170
commit d40f545106
4 changed files with 64 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ghost/admin/helpers/gh-format-html.js Normal file
View File

@ -0,0 +1,18 @@
/* global Handlebars, html_sanitize*/
import cajaSanitizers from 'ghost/utils/caja-sanitizers';
var formatHTML = Ember.Handlebars.makeBoundHelper(function (html) {
var escapedhtml = html || '';
// replace script and iFrame
escapedhtml = escapedhtml.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
'<pre><code>Embedded JavaScript</code></pre>');
escapedhtml = escapedhtml.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
'<pre><code>Embedded IFrame</code></pre>');
// sanitize HTML
escapedhtml = html_sanitize(escapedhtml, cajaSanitizers.url, cajaSanitizers.id);
return new Handlebars.SafeString(escapedhtml);
});
export default formatHTML;

17
ghost/admin/helpers/gh-format-markdown.js
View File

@ -1,8 +1,21 @@
/* global Showdown, Handlebars */ /* global Showdown, Handlebars, html_sanitize*/
import cajaSanitizers from 'ghost/utils/caja-sanitizers';
var showdown = new Showdown.converter({extensions: ['ghostimagepreview', 'ghostgfm']}); var showdown = new Showdown.converter({extensions: ['ghostimagepreview', 'ghostgfm']});
var formatMarkdown = Ember.Handlebars.makeBoundHelper(function (markdown) { var formatMarkdown = Ember.Handlebars.makeBoundHelper(function (markdown) {
return new Handlebars.SafeString(showdown.makeHtml(markdown || '')); var html = '';
// replace script and iFrame
markdown = markdown.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '```\nEmbedded JavaScript\n```');
markdown = markdown.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, '```\nEmbedded IFrame\n```');
// convert markdown to HTML
html = showdown.makeHtml(markdown || '');
// sanitize html
html = html_sanitize(html, cajaSanitizers.url, cajaSanitizers.id);
return new Handlebars.SafeString(html);
}); });
export default formatMarkdown; export default formatMarkdown;

4
ghost/admin/templates/posts/post.hbs
View File

@ -2,7 +2,7 @@
{{#view "content-preview-content-view" tagName="section"}} {{#view "content-preview-content-view" tagName="section"}}
<div class="wrapper"> <div class="wrapper">
<h1>{{{title}}}</h1> <h1>{{title}}</h1>
{{{html}}} {{gh-format-html html}}
</div> </div>
{{/view}} {{/view}}

29
ghost/admin/utils/caja-sanitizers.js Normal file
View File

@ -0,0 +1,29 @@
/**
* google-caja uses url() and id() to verify if the values are allowed.
*/
var url,
id;
/**
* Check if URL is allowed
* URLs are allowed if they start with http://, https://, or /.
*/
var url = function (url) {
url = url.toString().replace(/['"]+/g, '');
if (/^https?:\/\//.test(url) || /^\//.test(url)) {
return url;
}
};
/**
* Check if ID is allowed
* All ids are allowed at the moment.
*/
var id = function (id) {
return id;
};
export default {
url: url,
id: id
};