You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
91 lines
2.4 KiB
JavaScript
91 lines
2.4 KiB
JavaScript
const Xss = require('xss');
|
|
|
|
const xss = new Xss.FilterXSS({
|
|
whiteList: {
|
|
a: ['target', 'href', 'title'],
|
|
abbr: ['title'],
|
|
address: [],
|
|
area: ['shape', 'coords', 'href', 'alt'],
|
|
article: [],
|
|
aside: [],
|
|
audio: ['autoplay', 'controls', 'loop', 'preload', 'src'],
|
|
b: [],
|
|
bdi: ['dir'],
|
|
bdo: ['dir'],
|
|
big: [],
|
|
blockquote: ['cite'],
|
|
br: [],
|
|
caption: [],
|
|
center: [],
|
|
cite: [],
|
|
code: [],
|
|
col: ['align', 'valign', 'span', 'width'],
|
|
colgroup: ['align', 'valign', 'span', 'width'],
|
|
dd: [],
|
|
del: ['datetime'],
|
|
details: ['open'],
|
|
div: [],
|
|
dl: [],
|
|
dt: [],
|
|
em: [],
|
|
font: ['color', 'size', 'face'],
|
|
h1: [],
|
|
h2: [],
|
|
h3: [],
|
|
h4: [],
|
|
h5: [],
|
|
h6: [],
|
|
header: [],
|
|
hr: [],
|
|
i: [],
|
|
img: ['src', 'alt', 'title', 'width', 'height'],
|
|
ins: ['datetime'],
|
|
li: [],
|
|
mark: [],
|
|
ol: [],
|
|
p: [],
|
|
pre: [],
|
|
s: [],
|
|
section: [],
|
|
small: [],
|
|
span: ['class'],
|
|
sub: [],
|
|
sup: [],
|
|
strong: [],
|
|
table: ['width', 'border', 'align', 'valign'],
|
|
tbody: ['align', 'valign'],
|
|
td: ['width', 'rowspan', 'colspan', 'align', 'valign'],
|
|
tfoot: ['align', 'valign'],
|
|
th: ['width', 'rowspan', 'colspan', 'align', 'valign'],
|
|
thead: ['align', 'valign'],
|
|
tr: ['rowspan', 'align', 'valign'],
|
|
tt: [],
|
|
u: [],
|
|
ul: [],
|
|
video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],
|
|
},
|
|
});
|
|
|
|
function xssProtector(md) {
|
|
function protector(state) {
|
|
for (let i = 0; i < state.tokens.length; i++) {
|
|
const cur = state.tokens[i];
|
|
if (cur.type === 'html_block') {
|
|
cur.content = xss.process(cur.content);
|
|
}
|
|
if (cur.type === 'inline') {
|
|
const inlineTokens = cur.children;
|
|
for (let ii = 0; ii < inlineTokens.length; ii++) {
|
|
if (inlineTokens[ii].type === 'html_inline') {
|
|
inlineTokens[ii].content = xss.process(inlineTokens[ii].content);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
md.core.ruler.after('linkify', 'xss', protector);
|
|
}
|
|
|
|
module.exports = { xss, xssProtector };
|