Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
This repository was archived by the owner on Nov 8, 2022. It is now read-only.

Commit5b321f3

Browse files
committed
chore(editor): add encode to potential xss attack
1 parentdc0459e commit5b321f3

File tree

3 files changed

+24
-15
lines changed

3 files changed

+24
-15
lines changed

‎lib/helper/converter/editor_to_html.ex‎

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,15 @@ defmodule Helper.Converter.EditorToHtml do
111111
# |> IO.inspect(label: "quote ret")
112112
end
113113

114+
defpparse_block(%{"type"=>"code","data"=>data})do
115+
text=get_in(data,["text"])
116+
code=text|>Phoenix.HTML.html_escape()|>Phoenix.HTML.safe_to_string()
117+
lang=get_in(data,["lang"])
118+
119+
"<pre><code class=\"lang-#{lang}\">#{code}</code></pre>"
120+
# |> IO.inspect(label: "code ret")
121+
end
122+
114123
defpparse_block(_block)do
115124
# IO.puts("[unknow block]")
116125
"[unknow block]"

‎lib/helper/converter/html_sanitizer.ex‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ defmodule Helper.Converter.HtmlSanitizer do
2222
Meta.allow_tag_with_these_attributes("i",[])
2323
Meta.allow_tag_with_these_attributes("mark",["class"])
2424
Meta.allow_tag_with_these_attributes("code",["class"])
25+
Meta.allow_tag_with_these_attributes("pre",["class"])
2526
# Meta.allow_tag_with_these_attributes("p", [])
2627
Meta.allow_tag_with_these_attributes("h1",["class"])
2728
Meta.allow_tag_with_these_attributes("h2",["class"])

‎test/helper/converter/editor_to_html_test.exs‎

Lines changed: 14 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,13 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHtml do
170170
"data" : {
171171
"type" : "pen"
172172
}
173+
},
174+
{
175+
"type" : "code",
176+
"data" : {
177+
"lang" : "js",
178+
"text" : "<script>evil scripts</script>"
179+
}
173180
}
174181
],
175182
"version" : "2.15.0"
@@ -200,22 +207,14 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHtml do
200207
end
201208

202209
describe"[block convert]"do
203-
# @tag :wip2
204-
# test "allow svg tag" do
205-
# html = """
206-
# <svg height="22px" width="22px" t="1572155354182" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="14479" width="200" height="200"><path d="M812.586667 331.306667h79.850666a71.338667 71.338667 0 0 1 71.317334 71.317333v86.784a158.122667 158.122667 0 0 1-158.101334 158.122667h-5.568c-38.890667 130.624-159.893333 225.877333-303.146666 225.877333h-120.469334c-174.656 0-316.224-141.589333-316.224-316.224V342.4a101.44 101.44 0 0 1 101.44-101.461333h550.037334a101.461333 101.461333 0 0 1 100.864 90.346666zM240.938667 60.224c16.64 0 30.122667 13.482667 30.122666 30.101333V150.613333a30.122667 30.122667 0 0 1-60.245333 0V90.346667c0-16.64 13.482667-30.101333 30.122667-30.101334z m180.693333 0c16.64 0 30.122667 13.482667 30.122667 30.101333V150.613333a30.122667 30.122667 0 0 1-60.224 0V90.346667c0-16.64 13.482667-30.101333 30.122666-30.101334z m180.714667 0c16.64 0 30.122667 13.482667 30.122666 30.101333V150.613333a30.122667 30.122667 0 0 1-60.224 0V90.346667c0-16.64 13.482667-30.101333 30.101334-30.101334zM161.706667 301.184a41.216 41.216 0 0 0-41.216 41.216v214.784c0 141.376 114.624 256 256 256h120.469333c141.397333 0 256-114.624 256-256V342.4a41.216 41.216 0 0 0-41.216-41.216H161.706667z m741.845333 188.224v-86.784a11.093333 11.093333 0 0 0-11.093333-11.093333h-79.253334v195.477333a97.898667 97.898667 0 0 0 90.346667-97.6z" p-id="14480"></path></svg>
207-
# """
208-
209-
# IO.inspect(Sanitizer.sanitize(html), label: "hehe")
210-
# # assert Sanitizer.sanitize(html) == "This is <i>text</i>"
211-
# end
212210
@tag:wip2
213-
test"todo"do
214-
# IO.inspect(converted, label: "haha")
215-
converted=Parser.convert_to_html(@real_editor_data)
216-
# blocks = converted["blocks"]
217-
IO.inspect(converted,label:"converted ")
218-
# assert not Enum.empty?(converted["blocks"])
211+
test"code block should avoid potential xss script attack"do
212+
{:ok,converted}=Parser.convert_to_html(@real_editor_data)
213+
214+
safe_script=
215+
"<pre><code class=\"lang-js\">&lt;script&gt;evil scripts&lt;/script&gt;</code></pre>"
216+
217+
assertconverted|>String.contains?(safe_script)
219218
end
220219
end
221220
end

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp