mirror of
https://github.com/moparisthebest/mail
synced 2024-11-24 18:02:15 -05:00
[WO-03-002] Fix Insecure Regex Usage on DOMPurify Sanitizer Output (Medium)
This commit is contained in:
parent
55406cf7e8
commit
246d19b76e
@ -46,7 +46,8 @@
|
|||||||
"Lawnchair",
|
"Lawnchair",
|
||||||
"_",
|
"_",
|
||||||
"openpgp",
|
"openpgp",
|
||||||
"PhoneNumber"
|
"PhoneNumber",
|
||||||
|
"DOMPurify"
|
||||||
],
|
],
|
||||||
|
|
||||||
"globals": {}
|
"globals": {}
|
||||||
|
@ -39,7 +39,7 @@
|
|||||||
"browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master",
|
"browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master",
|
||||||
"chai": "~1.9.2",
|
"chai": "~1.9.2",
|
||||||
"crypto-lib": "~0.2.1",
|
"crypto-lib": "~0.2.1",
|
||||||
"dompurify": "~0.4.2",
|
"dompurify": "~0.6.3",
|
||||||
"grunt": "~0.4.1",
|
"grunt": "~0.4.1",
|
||||||
"grunt-angular-templates": "~0.5.7",
|
"grunt-angular-templates": "~0.5.7",
|
||||||
"grunt-autoprefixer": "~0.7.2",
|
"grunt-autoprefixer": "~0.7.2",
|
||||||
|
@ -1,5 +1,13 @@
|
|||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
|
// add DOMPurify hook to sanitze attributes
|
||||||
|
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
|
||||||
|
// open all links in a new window
|
||||||
|
if ('target' in node) {
|
||||||
|
node.setAttribute('target', '_blank');
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
// set listener for event from main window
|
// set listener for event from main window
|
||||||
window.onmessage = function(e) {
|
window.onmessage = function(e) {
|
||||||
var html = '';
|
var html = '';
|
||||||
@ -13,19 +21,16 @@ window.onmessage = function(e) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// sanitize HTML content: https://github.com/cure53/DOMPurify
|
// sanitize HTML content: https://github.com/cure53/DOMPurify
|
||||||
html = window.DOMPurify.sanitize(html);
|
|
||||||
// make links open in a new window
|
|
||||||
html = html.replace(/<a /g, '<a target="_blank" ');
|
|
||||||
|
|
||||||
// remove sources where necessary
|
|
||||||
if (e.data.removeImages) {
|
if (e.data.removeImages) {
|
||||||
html = html.replace(/(<img[^>]+\b)src=['"][^'">]+['"]/ig, function(match, prefix) {
|
// remove http leaks
|
||||||
return prefix;
|
document.body.innerHTML = DOMPurify.sanitize(html, {
|
||||||
|
FORBID_TAGS: ['style', 'svg', 'audio', 'video'],
|
||||||
|
FORBID_ATTR: ['src']
|
||||||
});
|
});
|
||||||
|
} else {
|
||||||
|
document.body.innerHTML = DOMPurify.sanitize(html);
|
||||||
}
|
}
|
||||||
|
|
||||||
document.body.innerHTML = html;
|
|
||||||
|
|
||||||
attachClickHandlers();
|
attachClickHandlers();
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user