Merge pull request #321 from whiteout-io/audit/WO-03-002

[WO-03-002] Fix Insecure Regex Usage on DOMPurify Sanitizer Output (Medi...
This commit is contained in:
Felix Hammerl 2015-04-22 17:38:32 +02:00
commit 898e19e3ea
3 changed files with 18 additions and 12 deletions

View File

@ -46,7 +46,8 @@
"Lawnchair", "Lawnchair",
"_", "_",
"openpgp", "openpgp",
"PhoneNumber" "PhoneNumber",
"DOMPurify"
], ],
"globals": {} "globals": {}

View File

@ -39,7 +39,7 @@
"browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master", "browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master",
"chai": "~1.9.2", "chai": "~1.9.2",
"crypto-lib": "~0.2.1", "crypto-lib": "~0.2.1",
"dompurify": "~0.4.2", "dompurify": "~0.6.3",
"grunt": "~0.4.1", "grunt": "~0.4.1",
"grunt-angular-templates": "~0.5.7", "grunt-angular-templates": "~0.5.7",
"grunt-autoprefixer": "~0.7.2", "grunt-autoprefixer": "~0.7.2",
@ -78,4 +78,4 @@
"assemble": "~0.4.42", "assemble": "~0.4.42",
"handlebars-helper-compose": "~0.2.12" "handlebars-helper-compose": "~0.2.12"
} }
} }

View File

@ -1,5 +1,13 @@
'use strict'; 'use strict';
// add DOMPurify hook to sanitze attributes
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
// open all links in a new window
if ('target' in node) {
node.setAttribute('target', '_blank');
}
});
// set listener for event from main window // set listener for event from main window
window.onmessage = function(e) { window.onmessage = function(e) {
var html = ''; var html = '';
@ -13,19 +21,16 @@ window.onmessage = function(e) {
} }
// sanitize HTML content: https://github.com/cure53/DOMPurify // sanitize HTML content: https://github.com/cure53/DOMPurify
html = window.DOMPurify.sanitize(html);
// make links open in a new window
html = html.replace(/<a /g, '<a target="_blank" ');
// remove sources where necessary
if (e.data.removeImages) { if (e.data.removeImages) {
html = html.replace(/(<img[^>]+\b)src=['"][^'">]+['"]/ig, function(match, prefix) { // remove http leaks
return prefix; document.body.innerHTML = DOMPurify.sanitize(html, {
FORBID_TAGS: ['style', 'svg', 'audio', 'video'],
FORBID_ATTR: ['src']
}); });
} else {
document.body.innerHTML = DOMPurify.sanitize(html);
} }
document.body.innerHTML = html;
attachClickHandlers(); attachClickHandlers();
}; };