do not allow script tags in description html
This commit is contained in:
Andris Reinman
parent
0879fa412a
commit
ae6affda81
5 changed files with 32 additions and 0 deletions
|
|
@ -619,6 +619,9 @@ module.exports.create = (campaign, opts, callback) => {
|
|||
Object.keys(campaign).forEach(key => {
|
||||
let value = typeof campaign[key] === 'number' ? campaign[key] : (campaign[key] || '').toString().trim();
|
||||
key = tools.toDbKey(key);
|
||||
if (key === 'description') {
|
||||
value = tools.purifyHTML(value);
|
||||
}
|
||||
if (allowedKeys.indexOf(key) >= 0 && keys.indexOf(key) < 0) {
|
||||
keys.push(key);
|
||||
values.push(value);
|
||||
|
|
@ -791,6 +794,9 @@ module.exports.update = (id, updates, callback) => {
|
|||
Object.keys(campaign).forEach(key => {
|
||||
let value = typeof campaign[key] === 'number' ? campaign[key] : (campaign[key] || '').toString().trim();
|
||||
key = tools.toDbKey(key);
|
||||
if (key === 'description') {
|
||||
value = tools.purifyHTML(value);
|
||||
}
|
||||
if (allowedKeys.indexOf(key) >= 0 && keys.indexOf(key) < 0) {
|
||||
keys.push(key);
|
||||
values.push(value);
|
||||
|
|
|
|||
|
|
@ -123,6 +123,9 @@ module.exports.create = (list, callback) => {
|
|||
Object.keys(list).forEach(key => {
|
||||
let value = list[key].trim();
|
||||
key = tools.toDbKey(key);
|
||||
if (key === 'description') {
|
||||
value = tools.purifyHTML(value);
|
||||
}
|
||||
if (allowedKeys.indexOf(key) >= 0) {
|
||||
keys.push(key);
|
||||
values.push(value);
|
||||
|
|
@ -182,6 +185,9 @@ module.exports.update = (id, updates, callback) => {
|
|||
Object.keys(updates).forEach(key => {
|
||||
let value = updates[key].trim();
|
||||
key = tools.toDbKey(key);
|
||||
if (key === 'description') {
|
||||
value = tools.purifyHTML(value);
|
||||
}
|
||||
if (allowedKeys.indexOf(key) >= 0) {
|
||||
keys.push(key);
|
||||
values.push(value);
|
||||
|
|
|
|||
|
|
@ -88,6 +88,9 @@ module.exports.create = (template, callback) => {
|
|||
Object.keys(template).forEach(key => {
|
||||
let value = template[key].trim();
|
||||
key = tools.toDbKey(key);
|
||||
if (key === 'description') {
|
||||
value = tools.purifyHTML(value);
|
||||
}
|
||||
if (allowedKeys.indexOf(key) >= 0) {
|
||||
keys.push(key);
|
||||
values.push(value);
|
||||
|
|
@ -133,6 +136,9 @@ module.exports.update = (id, updates, callback) => {
|
|||
Object.keys(updates).forEach(key => {
|
||||
let value = updates[key].trim();
|
||||
key = tools.toDbKey(key);
|
||||
if (key === 'description') {
|
||||
value = tools.purifyHTML(value);
|
||||
}
|
||||
if (allowedKeys.indexOf(key) >= 0) {
|
||||
keys.push(key);
|
||||
values.push(value);
|
||||
|
|
|
|||
13
lib/tools.js
13
lib/tools.js
|
|
@ -9,6 +9,7 @@ let jsdom = require('jsdom');
|
|||
let he = require('he');
|
||||
let _ = require('./translate')._;
|
||||
let util = require('util');
|
||||
let createDOMPurify = require('dompurify');
|
||||
|
||||
let blockedUsers = ['abuse', 'admin', 'billing', 'compliance', 'devnull', 'dns', 'ftp', 'hostmaster', 'inoc', 'ispfeedback', 'ispsupport', 'listrequest', 'list', 'maildaemon', 'noc', 'noreply', 'noreply', 'null', 'phish', 'phishing', 'postmaster', 'privacy', 'registrar', 'root', 'security', 'spam', 'support', 'sysadmin', 'tech', 'undisclosedrecipients', 'unsubscribe', 'usenet', 'uucp', 'webmaster', 'www'];
|
||||
|
||||
|
|
@ -23,6 +24,7 @@ module.exports = {
|
|||
formatMessage,
|
||||
getMessageLinks,
|
||||
prepareHtml,
|
||||
purifyHTML,
|
||||
workers: new Set()
|
||||
};
|
||||
|
||||
|
|
@ -232,3 +234,14 @@ function prepareHtml(html, callback) {
|
|||
return callback(null, juice(preparedHtml));
|
||||
});
|
||||
}
|
||||
|
||||
function purifyHTML(html) {
|
||||
let win = jsdom.jsdom('', {
|
||||
features: {
|
||||
FetchExternalResources: false, // disables resource loading over HTTP / filesystem
|
||||
ProcessExternalResources: false // do not execute JS within script blocks
|
||||
}
|
||||
}).defaultView;
|
||||
let DOMPurify = createDOMPurify(win);
|
||||
return DOMPurify.sanitize(html);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@
|
|||
"csurf": "^1.9.0",
|
||||
"csv-generate": "^1.0.0",
|
||||
"csv-parse": "^1.2.0",
|
||||
"dompurify": "^0.8.5",
|
||||
"escape-html": "^1.0.3",
|
||||
"express": "^4.15.2",
|
||||
"express-session": "^1.15.1",
|
||||
|
|
|
|||
Loading…
Reference in a new issue