Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit714ef29

Browse files
feat: added html sanitizer for remote rendering (#1128)
Co-authored-by: Joe Pea <joe@trusktr.io>
1 parent0bf03f5 commit714ef29

File tree

8 files changed

+2074
-1071
lines changed

8 files changed

+2074
-1071
lines changed

‎.eslintrc.js‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ module.exports = {
1919
rules:{
2020
'prettier/prettier':['error'],
2121
camelcase:['warn'],
22+
'no-useless-escape':['warn'],
2223
curly:['error','all'],
2324
'dot-notation':['error'],
2425
eqeqeq:['error'],

‎package-lock.json‎

Lines changed: 2007 additions & 1068 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎package.json‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@
5757
"*.js":"eslint --fix"
5858
},
5959
"dependencies": {
60+
"dompurify":"^2.0.8",
6061
"marked":"^0.7.0",
6162
"medium-zoom":"^1.0.5",
6263
"opencollective-postinstall":"^2.0.2",
@@ -82,7 +83,7 @@
8283
"esm":"^3.1.4",
8384
"husky":"^3.1.0",
8485
"jsdom":"^16.2.2",
85-
"lerna":"^3.17.0",
86+
"lerna":"^3.22.1",
8687
"lint-staged":"^10.1.2",
8788
"live-server":"^1.2.1",
8889
"mkdirp":"^0.5.1",

‎packages/docsify-server-renderer/index.js‎

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ import { resolve, basename } from 'path';
33
importresolvePathnamefrom'resolve-pathname';
44
importfetchfrom'node-fetch';
55
importdebugfrom'debug';
6+
importDOMPurifyfrom'dompurify';
67
import{AbstractHistory}from'../../src/core/router/history/abstract';
78
import{Compiler}from'../../src/core/render/compiler';
89
import{isAbsolutePath}from'../../src/core/router/util';
@@ -13,6 +14,32 @@ function cwd(...args) {
1314
returnresolve(process.cwd(), ...args);
1415
}
1516

17+
functionisExternal(url){
18+
letmatch=url.match(
19+
/^([^:\/?#]+:)?(?:\/\/([^\/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?/
20+
);
21+
if(
22+
typeofmatch[1]==='string'&&
23+
match[1].length>0&&
24+
match[1].toLowerCase()!==location.protocol
25+
){
26+
returntrue;
27+
}
28+
if(
29+
typeofmatch[2]==='string'&&
30+
match[2].length>0&&
31+
match[2].replace(
32+
newRegExp(
33+
':('+{'http:':80,'https:':443}[location.protocol]+')?$'
34+
),
35+
''
36+
)!==location.host
37+
){
38+
returntrue;
39+
}
40+
returnfalse;
41+
}
42+
1643
functionmainTpl(config){
1744
lethtml=`<nav class="app-nav${
1845
config.repo ?'' :' no-badge'
@@ -60,6 +87,7 @@ export default class Renderer {
6087

6188
asyncrenderToString(url){
6289
this.url=url=this.router.parse(url).path;
90+
this.isRemoteUrl=isExternal(this.url);
6391
const{ loadSidebar, loadNavbar, coverpage}=this.config;
6492

6593
constmainFile=this._getPath(url);
@@ -95,9 +123,8 @@ export default class Renderer {
95123
this._renderHtml('cover',awaitthis._render(coverFile),'cover');
96124
}
97125

98-
consthtml=this.html;
126+
consthtml=this.isRemoteUrl ?DOMPurify.sanitize(this.html) :this.html;
99127
this.html=this.template;
100-
101128
returnhtml;
102129
}
103130

‎packages/docsify-server-renderer/package-lock.json‎

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎packages/docsify-server-renderer/package.json‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
"dependencies": {
1818
"debug":"^4.1.1",
1919
"docsify":"^4.11.2",
20+
"dompurify":"^2.0.8",
2021
"node-fetch":"^2.6.0",
2122
"resolve-pathname":"^3.0.0"
2223
}

‎src/core/fetch/index.js‎

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,32 @@ function loadNested(path, qs, file, next, vm, first) {
2020
).then(next,_=>loadNested(path,qs,file,next,vm));
2121
}
2222

23+
functionisExternal(url){
24+
letmatch=url.match(
25+
/^([^:\/?#]+:)?(?:\/\/([^\/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?/
26+
);
27+
if(
28+
typeofmatch[1]==='string'&&
29+
match[1].length>0&&
30+
match[1].toLowerCase()!==location.protocol
31+
){
32+
returntrue;
33+
}
34+
if(
35+
typeofmatch[2]==='string'&&
36+
match[2].length>0&&
37+
match[2].replace(
38+
newRegExp(
39+
':('+{'http:':80,'https:':443}[location.protocol]+')?$'
40+
),
41+
''
42+
)!==location.host
43+
){
44+
returntrue;
45+
}
46+
returnfalse;
47+
}
48+
2349
exportfunctionfetchMixin(proto){
2450
letlast;
2551

@@ -84,6 +110,7 @@ export function fetchMixin(proto) {
84110
constfile=this.router.getFile(path);
85111
constreq=request(file+qs,true,requestHeaders);
86112

113+
this.isRemoteUrl=isExternal(file);
87114
// Current page is html
88115
this.isHTML=/\.html$/g.test(file);
89116

‎src/core/render/index.js‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
/* eslint-disable no-unused-vars */
22
importtinydatefrom'tinydate';
3+
importDOMPurifyfrom'dompurify';
34
import*asdomfrom'../util/dom';
45
importcssVarsfrom'../util/polyfill/css-vars';
56
import{callHook}from'../init/lifecycle';
@@ -172,6 +173,7 @@ export function renderMixin(proto) {
172173
},
173174
tokens=>{
174175
html=this.compiler.compile(tokens);
176+
html=this.isRemoteUrl ?DOMPurify.sanitize(html) :html;
175177
callback();
176178
next();
177179
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp