Add XSS prevention

closes #3387 - added placeholder for <script> and <iframe> - added google-caja sanitizer - changed title in posts overview to ‚double-stash‘
2024-12-01 05:50:35 +03:00 · 2014-07-25 12:42:42 +02:00 · 2014-07-25 12:42:42 +02:00 · d895238571
commit d895238571
parent 6628127297
7 changed files with 72 additions and 9 deletions
--- a/Gruntfile.js
+++ b/Gruntfile.js
@ -443,6 +443,7 @@ var path           = require('path'),
                        'bower_components/nprogress/nprogress.js',
                        'bower_components/ember-simple-auth/simple-auth.js',
                        'bower_components/ember-simple-auth/simple-auth-oauth2.js',
+                        'bower_components/google-caja/html-css-sanitizer-bundle.js',

                        'core/shared/lib/showdown/extensions/ghostimagepreview.js',
                        'core/shared/lib/showdown/extensions/ghostgfm.js'
@ -475,8 +476,9 @@ var path           = require('path'),
                        'bower_components/jquery-file-upload/js/jquery.fileupload.js',
                        'bower_components/fastclick/lib/fastclick.js',
                        'bower_components/nprogress/nprogress.js',
-                        'bower_components/ember-simple-auth/ember-simple-auth.js',
-                        'bower_components/ember-simple-auth/ember-simple-auth-oauth2.js',
+                        'bower_components/ember-simple-auth/simple-auth.js',
+                        'bower_components/ember-simple-auth/simple-auth-oauth2.js',
+                        'bower_components/google-caja/html-css-sanitizer-bundle.js',

                        'core/shared/lib/showdown/extensions/ghostimagepreview.js',
                        'core/shared/lib/showdown/extensions/ghostgfm.js'
--- a/bower.json
+++ b/bower.json
@ -23,6 +23,7 @@
    "moment": "2.4.0",
    "nprogress": "0.1.2",
    "showdown": "git://github.com/ErisDS/showdown.git#v0.3.2-ghost",
-    "validator-js": "3.4.0"
+    "validator-js": "3.4.0",
+    "google-caja": "5669.0.0"
  }
 }
--- a/core/client/helpers/gh-format-html.js
+++ b/core/client/helpers/gh-format-html.js
@ -0,0 +1,18 @@
+/* global Handlebars, html_sanitize*/
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
+
+var formatHTML = Ember.Handlebars.makeBoundHelper(function (html) {
+    var escapedhtml = html || '';
+
+    // replace script and iFrame
+    escapedhtml = escapedhtml.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+        '<pre><code>Embedded JavaScript</code></pre>');
+    escapedhtml = escapedhtml.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
+        '<pre><code>Embedded IFrame</code></pre>');
+
+    // sanitize HTML
+    escapedhtml = html_sanitize(escapedhtml, cajaSanitizers.url, cajaSanitizers.id);
+    return new Handlebars.SafeString(escapedhtml);
+});
+
+export default formatHTML;
--- a/core/client/helpers/gh-format-markdown.js
+++ b/core/client/helpers/gh-format-markdown.js
@ -1,8 +1,21 @@
-/* global Showdown, Handlebars */
+/* global Showdown, Handlebars, html_sanitize*/
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
+
 var showdown = new Showdown.converter({extensions: ['ghostimagepreview', 'ghostgfm']});

 var formatMarkdown = Ember.Handlebars.makeBoundHelper(function (markdown) {
-    return new Handlebars.SafeString(showdown.makeHtml(markdown || ''));
+    var html = '';
+
+    // replace script and iFrame
+    markdown = markdown.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '```\nEmbedded JavaScript\n```');
+    markdown = markdown.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, '```\nEmbedded IFrame\n```');
+
+    // convert markdown to HTML
+    html = showdown.makeHtml(markdown || '');
+
+    // sanitize html
+    html = html_sanitize(html, cajaSanitizers.url, cajaSanitizers.id);
+    return new Handlebars.SafeString(html);
 });

 export default formatMarkdown;
--- a/core/client/templates/posts/post.hbs
+++ b/core/client/templates/posts/post.hbs
@ -2,7 +2,7 @@

 {{#view "content-preview-content-view" tagName="section"}}
    <div class="wrapper">
-        <h1>{{{title}}}</h1>
-        {{{html}}}
+        <h1>{{title}}</h1>
+        {{gh-format-html html}}
    </div>
 {{/view}}
--- a/core/client/utils/caja-sanitizers.js
+++ b/core/client/utils/caja-sanitizers.js
@ -0,0 +1,29 @@
+/**
+ * google-caja uses url() and id() to verify if the values are allowed.
+ */
+var url,
+    id;
+
+/**
+ * Check if URL is allowed
+ * URLs are allowed if they start with http://, https://, or /.
+ */
+var url = function (url) {
+	url = url.toString().replace(/['"]+/g, '');
+    if (/^https?:\/\//.test(url) || /^\//.test(url)) {
+        return url;
+    }
+};
+
+/**
+ * Check if ID is allowed
+ * All ids are allowed at the moment.
+ */
+var id = function (id) {
+    return id;
+};
+
+export default {
+    url: url,
+    id: id
+};
--- a/core/test/functional/client/editor_test.js
+++ b/core/test/functional/client/editor_test.js
@ -172,7 +172,7 @@ CasperTest.begin('Image Uploads', 17, function suite(test) {
        test.assertUrlMatch(/ghost\/editor\/$/, 'Landed on the correct URL');
    });

-    var testFileLocation = 'test/file/location';
+    var testFileLocation = '/test/file/location';

    casper.then(function () {
        var markdownImageString = '![](' + testFileLocation + ')';
@ -203,7 +203,7 @@ CasperTest.begin('Image Uploads', 17, function suite(test) {
        casper.thenClick('.entry-preview .image-uploader a.image-url');
    });

-    var imageURL = 'random.url';
+    var imageURL = 'http://www.random.url';
    casper.waitForSelector('.image-uploader-url', function onSuccess() {
        casper.sendKeys('.image-uploader-url input.url.js-upload-url', imageURL);
        casper.thenClick('.js-button-accept.button-save');