Merge pull request #321 from whiteout-io/audit/WO-03-002

[WO-03-002] Fix Insecure Regex Usage on DOMPurify Sanitizer Output (Medi...
master
Felix Hammerl 2015-04-22 17:38:32 +02:00
commit 898e19e3ea
3 changed files with 18 additions and 12 deletions

View File

@ -46,7 +46,8 @@
"Lawnchair",
"_",
"openpgp",
"PhoneNumber"
"PhoneNumber",
"DOMPurify"
],
"globals": {}

View File

@ -39,7 +39,7 @@
"browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master",
"chai": "~1.9.2",
"crypto-lib": "~0.2.1",
"dompurify": "~0.4.2",
"dompurify": "~0.6.3",
"grunt": "~0.4.1",
"grunt-angular-templates": "~0.5.7",
"grunt-autoprefixer": "~0.7.2",
@ -78,4 +78,4 @@
"assemble": "~0.4.42",
"handlebars-helper-compose": "~0.2.12"
}
}
}

View File

@ -1,5 +1,13 @@
'use strict';
// add DOMPurify hook to sanitze attributes
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
// open all links in a new window
if ('target' in node) {
node.setAttribute('target', '_blank');
}
});
// set listener for event from main window
window.onmessage = function(e) {
var html = '';
@ -13,19 +21,16 @@ window.onmessage = function(e) {
}
// sanitize HTML content: https://github.com/cure53/DOMPurify
html = window.DOMPurify.sanitize(html);
// make links open in a new window
html = html.replace(/<a /g, '<a target="_blank" ');
// remove sources where necessary
if (e.data.removeImages) {
html = html.replace(/(<img[^>]+\b)src=['"][^'">]+['"]/ig, function(match, prefix) {
return prefix;
// remove http leaks
document.body.innerHTML = DOMPurify.sanitize(html, {
FORBID_TAGS: ['style', 'svg', 'audio', 'video'],
FORBID_ATTR: ['src']
});
} else {
document.body.innerHTML = DOMPurify.sanitize(html);
}
document.body.innerHTML = html;
attachClickHandlers();
};