public/mailtrain
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

do not allow script tags in description html

Browse source
This commit is contained in:
Andris Reinman 2017-03-19 14:22:44 +02:00
parent 0879fa412a
commit ae6affda81
5 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/models/campaigns.js
View file

@ -619,6 +619,9 @@ module.exports.create = (campaign, opts, callback) => {
Object.keys(campaign).forEach(key => { Object.keys(campaign).forEach(key => {
let value = typeof campaign[key] === 'number' ? campaign[key] : (campaign[key] || '').toString().trim(); let value = typeof campaign[key] === 'number' ? campaign[key] : (campaign[key] || '').toString().trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0 && keys.indexOf(key) < 0) { if (allowedKeys.indexOf(key) >= 0 && keys.indexOf(key) < 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);
@ -791,6 +794,9 @@ module.exports.update = (id, updates, callback) => {
Object.keys(campaign).forEach(key => { Object.keys(campaign).forEach(key => {
let value = typeof campaign[key] === 'number' ? campaign[key] : (campaign[key] || '').toString().trim(); let value = typeof campaign[key] === 'number' ? campaign[key] : (campaign[key] || '').toString().trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0 && keys.indexOf(key) < 0) { if (allowedKeys.indexOf(key) >= 0 && keys.indexOf(key) < 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);

6
lib/models/lists.js
View file

@ -123,6 +123,9 @@ module.exports.create = (list, callback) => {
Object.keys(list).forEach(key => { Object.keys(list).forEach(key => {
let value = list[key].trim(); let value = list[key].trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0) { if (allowedKeys.indexOf(key) >= 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);
@ -182,6 +185,9 @@ module.exports.update = (id, updates, callback) => {
Object.keys(updates).forEach(key => { Object.keys(updates).forEach(key => {
let value = updates[key].trim(); let value = updates[key].trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0) { if (allowedKeys.indexOf(key) >= 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);

6
lib/models/templates.js
View file

@ -88,6 +88,9 @@ module.exports.create = (template, callback) => {
Object.keys(template).forEach(key => { Object.keys(template).forEach(key => {
let value = template[key].trim(); let value = template[key].trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0) { if (allowedKeys.indexOf(key) >= 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);
@ -133,6 +136,9 @@ module.exports.update = (id, updates, callback) => {
Object.keys(updates).forEach(key => { Object.keys(updates).forEach(key => {
let value = updates[key].trim(); let value = updates[key].trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0) { if (allowedKeys.indexOf(key) >= 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);

13
lib/tools.js
View file

@ -9,6 +9,7 @@ let jsdom = require('jsdom');
let he = require('he'); let he = require('he');
let _ = require('./translate')._; let _ = require('./translate')._;
let util = require('util'); let util = require('util');
let createDOMPurify = require('dompurify');
let blockedUsers = ['abuse', 'admin', 'billing', 'compliance', 'devnull', 'dns', 'ftp', 'hostmaster', 'inoc', 'ispfeedback', 'ispsupport', 'listrequest', 'list', 'maildaemon', 'noc', 'noreply', 'noreply', 'null', 'phish', 'phishing', 'postmaster', 'privacy', 'registrar', 'root', 'security', 'spam', 'support', 'sysadmin', 'tech', 'undisclosedrecipients', 'unsubscribe', 'usenet', 'uucp', 'webmaster', 'www']; let blockedUsers = ['abuse', 'admin', 'billing', 'compliance', 'devnull', 'dns', 'ftp', 'hostmaster', 'inoc', 'ispfeedback', 'ispsupport', 'listrequest', 'list', 'maildaemon', 'noc', 'noreply', 'noreply', 'null', 'phish', 'phishing', 'postmaster', 'privacy', 'registrar', 'root', 'security', 'spam', 'support', 'sysadmin', 'tech', 'undisclosedrecipients', 'unsubscribe', 'usenet', 'uucp', 'webmaster', 'www'];
@ -23,6 +24,7 @@ module.exports = {
formatMessage, formatMessage,
getMessageLinks, getMessageLinks,
prepareHtml, prepareHtml,
purifyHTML,
workers: new Set() workers: new Set()
}; };
@ -232,3 +234,14 @@ function prepareHtml(html, callback) {
return callback(null, juice(preparedHtml)); return callback(null, juice(preparedHtml));
}); });
} }
function purifyHTML(html) {
let win = jsdom.jsdom('', {
features: {
FetchExternalResources: false, // disables resource loading over HTTP / filesystem
ProcessExternalResources: false // do not execute JS within script blocks
}
}).defaultView;
let DOMPurify = createDOMPurify(win);
return DOMPurify.sanitize(html);
}

1
package.json
View file

@ -47,6 +47,7 @@
"csurf": "^1.9.0", "csurf": "^1.9.0",
"csv-generate": "^1.0.0", "csv-generate": "^1.0.0",
"csv-parse": "^1.2.0", "csv-parse": "^1.2.0",
"dompurify": "^0.8.5",
"escape-html": "^1.0.3", "escape-html": "^1.0.3",
"express": "^4.15.2", "express": "^4.15.2",
"express-session": "^1.15.1", "express-session": "^1.15.1",