mirror of
https://github.com/pierre42100/ComunicWeb
synced 2024-12-24 09:58:51 +00:00
Fix security breach.
This commit is contained in:
parent
089739e141
commit
c2eba7b3be
@ -592,4 +592,27 @@ function dataURItoBlob(dataURI){
|
||||
|
||||
return new Blob([ia], {type: mimeString});
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Satinize some HTML source code by removing all javascript event detectors
|
||||
* from it
|
||||
*
|
||||
* @param {string} html The source code to update
|
||||
* @return {string} Secured html
|
||||
*/
|
||||
function removeJavascriptEventsFromHTML(html){
|
||||
|
||||
//Check if the string to check is null (we will consider
|
||||
//at safe in this case)
|
||||
if(html == null)
|
||||
return html;
|
||||
|
||||
//Search for unexceptable references
|
||||
while(html.match(/on[a-zA-Z ]+=/i) != null){
|
||||
let match = html.match(/on[a-zA-Z ]+=/i)[0];
|
||||
html = html.replace(match, match.replace("on", "o<block></block>n"))
|
||||
}
|
||||
|
||||
return html;
|
||||
}
|
@ -826,7 +826,7 @@ ComunicWeb.components.posts.ui = {
|
||||
appendTo: postRoot,
|
||||
type: "div",
|
||||
class: "post_content",
|
||||
innerHTML: info.content
|
||||
innerHTML: removeJavascriptEventsFromHTML(info.content)
|
||||
});
|
||||
|
||||
//Parse emojies
|
||||
|
Loading…
Reference in New Issue
Block a user