Page MenuHomeSoftware Heritage
Files F9125068

D1412.id4572.diff
No OneTemporary
Actions

D1412.id4572.diff
View Options

diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -20,6 +20,7 @@
"clipboard": "^2.0.4",
"d3": "^5.9.2",
"datatables.net-bs4": "^1.10.19",
+ "dompurify": "^1.0.10",
"elementsfrompoint-polyfill": "^1.0.0",
"font-awesome": "^4.7.0",
"highlight.js": "^9.15.6",
@@ -34,7 +35,6 @@
"pdfjs-dist": "^2.0.943",
"popper.js": "^1.15.0",
"showdown": "^1.9.0",
- "showdown-xss-filter": "^0.2.0",
"typeface-alegreya": "0.0.69",
"typeface-alegreya-sans": "^0.0.72",
"url-search-params-polyfill": "^5.1.0",
diff --git a/swh/web/assets/src/bundles/webapp/readme-rendering.js b/swh/web/assets/src/bundles/webapp/readme-rendering.js
--- a/swh/web/assets/src/bundles/webapp/readme-rendering.js
+++ b/swh/web/assets/src/bundles/webapp/readme-rendering.js
@@ -1,25 +1,39 @@
/**
- * Copyright (C) 2018 The Software Heritage developers
+ * Copyright (C) 2018-2019 The Software Heritage developers
* See the AUTHORS file at the top-level directory of this distribution
* License: GNU Affero General Public License version 3, or any later version
* See top-level LICENSE file for more information
*/
+import DOMPurify from 'dompurify';
+
import {handleFetchError} from 'utils/functions';
+DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
+ if (node.nodeName === 'IMG' && data.attrName === 'src') {
+ // remove leading slash from image src to fix rendering
+ if (data.attrValue.startsWith('/')) {
+ data.attrValue = data.attrValue.slice(1);
+ }
+ }
+});
+
+export function filterXSS(html) {
+ return DOMPurify.sanitize(html);
+}
+
export async function renderMarkdown(domElt, markdownDocUrl) {
let showdown = await import(/* webpackChunkName: "showdown" */ 'utils/showdown');
- let xssFilter = require('showdown-xss-filter');
$(document).ready(() => {
- let converter = new showdown.Converter({tables: true, extensions: [xssFilter]});
+ let converter = new showdown.Converter({tables: true});
fetch(markdownDocUrl)
.then(handleFetchError)
.then(response => response.text())
.then(data => {
$(domElt).addClass('swh-showdown');
- $(domElt).html(converter.makeHtml(data));
+ $(domElt).html(filterXSS(converter.makeHtml(data)));
})
.catch(() => {
$(domElt).text('Readme bytes are not available');
@@ -36,7 +50,7 @@
let orgDocument = parser.parse(orgDocData, {toc: false});
let orgHTMLDocument = orgDocument.convert(org.ConverterHTML, {});
$(domElt).addClass('swh-org');
- $(domElt).html(orgHTMLDocument.toString());
+ $(domElt).html(filterXSS(orgHTMLDocument.toString()));
// remove toc and section numbers to get consistent
// with other readme renderings
$('.swh-org ul').first().remove();
diff --git a/swh/web/templates/includes/readme-display.html b/swh/web/templates/includes/readme-display.html
--- a/swh/web/templates/includes/readme-display.html
+++ b/swh/web/templates/includes/readme-display.html
@@ -19,7 +19,7 @@
{% if readme_html %}
<script>
- $('#readme').html({{ readme_html|jsonify }});
+ $('#readme').html(swh.webapp.filterXSS({{ readme_html|jsonify }}));
</script>
{% elif readme_name.lower == 'readme' or readme_name.lower == 'readme.txt' %}
<script>
diff --git a/yarn.lock b/yarn.lock
--- a/yarn.lock
+++ b/yarn.lock
@@ -1997,7 +1997,7 @@
dependencies:
delayed-stream "~1.0.0"
-commander@2, commander@^2.19.0, commander@^2.9.0:
+commander@2, commander@^2.19.0:
version "2.19.0"
resolved "https://registry.yarnpkg.com/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a"
integrity sha512-6tvAOO+D6OENvRAh524Dh9jcfKTYDQAqvqezbCW82xj5X0pSrcpxtvRKHLG0yBY6SD7PSDrJaj+0AiOcKVd1Xg==
@@ -2393,11 +2393,6 @@
resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
-cssfilter@^0.0.8:
- version "0.0.8"
- resolved "https://registry.yarnpkg.com/cssfilter/-/cssfilter-0.0.8.tgz#6564caccba8a76dd9b4b920668b9fb7fda50e54c"
- integrity sha1-ZWTKzLqKdt2bS5IGaLn7f9pQ5Uw=
-
cssnano-preset-default@^4.0.7:
version "4.0.7"
resolved "https://registry.yarnpkg.com/cssnano-preset-default/-/cssnano-preset-default-4.0.7.tgz#51ec662ccfca0f88b396dcd9679cdb931be17f76"
@@ -2994,6 +2989,11 @@
dependencies:
domelementtype "1"
+dompurify@^1.0.10:
+ version "1.0.10"
+ resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-1.0.10.tgz#18d7353631c86ee25049e38fbca8c6b2c5a2af87"
+ integrity sha512-huhl3DSWX5LaA7jDtnj3XQdJgWW1wYouNW7N0drGzQa4vEUSVWyeFN+Atx6HP4r5cang6oQytMom6I4yhGJj5g==
+
domutils@^1.5.1, domutils@^1.7.0:
version "1.7.0"
resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"
@@ -7753,13 +7753,6 @@
resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3"
integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=
-showdown-xss-filter@^0.2.0:
- version "0.2.0"
- resolved "https://registry.yarnpkg.com/showdown-xss-filter/-/showdown-xss-filter-0.2.0.tgz#39857bae56d6184979f26876b187bb87e9f4f04c"
- integrity sha1-OYV7rlbWGEl58mh2sYe7h+n08Ew=
- dependencies:
- xss "0.2.x"
-
showdown@^1.9.0:
version "1.9.0"
resolved "https://registry.yarnpkg.com/showdown/-/showdown-1.9.0.tgz#d49d2a0b6db21b7c2e96ef855f7b3b2a28ef46f4"
@@ -9146,14 +9139,6 @@
resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-3.0.0.tgz#496b2cc109eca8dbacfe2dc72b603c17c5870ad4"
integrity sha1-SWsswQnsqNus/i3HK2A8F8WHCtQ=
-xss@0.2.x:
- version "0.2.18"
- resolved "https://registry.yarnpkg.com/xss/-/xss-0.2.18.tgz#6df5fb5ca28bdc51e78624ff63f19e13ebd73bab"
- integrity sha1-bfX7XKKL3FHnhiT/Y/GeE+vXO6s=
- dependencies:
- commander "^2.9.0"
- cssfilter "^0.0.8"
-
xtend@^4.0.0, xtend@^4.0.1, xtend@~4.0.1:
version "4.0.1"
resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"

File Metadata

Mime Type
text/plain
Expires
Fri, Jun 20, 8:00 PM (3 w, 3 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3217692

Event Timeline

About · Developer information · Legal