leanote/desktop-app
1
0
Fork 0
mirror of https://github.com/leanote/desktop-app.git synced 2025-10-18 01:16:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

evernote validate

Browse Source 
https://github.com/leanote/desktop-app/issues/73
This commit is contained in:
life
2015-10-27 10:27:53 +08:00
parent 11bb0d6604
commit da48d018eb
3 changed files with 64 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
node_modules/resanitize/resanitize.js generated vendored
View File

@@ -196,30 +196,64 @@ function stripUnsafeAttrs (str) {
module.exports.stripUnsafeAttrs = stripUnsafeAttrs;
function stripUnsafeTags (str) {
var el = /<(?:wbr|form|input|font|blink|script|style|comment|plaintext|xmp|link|listing|meta|body|frame|frameset)\b/;
// var el = /<(?:wbr|form|input|font|blink|script|style|comment|plaintext|xmp|link|listing|meta|body|frame|frameset)\b/;
var ct = 0, max = 2;
// Prohibited elements
var otherTags = ['wbr','style', 'comment', 'plaintext', 'xmp', 'listing',
// 以下是evernote禁止的
'applet','base','basefont','bgsound','blink','body','button','dir','embed','fieldset','frameset','head',
'html','iframe','ilayer','input','isindex','label','layer','legend','link','marquee','menu','meta','noframes',
'noscript','object','optgroup','option','param','plaintext','script','select','style','textarea','xml'];
var patterReplace1 = '';
var patterReplace2 = '';
var pattern = '<(?:';
for (var i = 0; i < otherTags.length; ++i) {
pattern += otherTags[i] + '|';
patterReplace2 += otherTags[i] + '|';
}
pattern += 'body)\\b';
patterReplace2 += 'body'
var reg = new RegExp(pattern);
// 单个自闭合<input />
var replageReg = new RegExp('<\\/?(?:' + patterReplace2 + ')[^>]*?>', 'gi');
// We'll repeatedly try to strip any maliciously nested elements up to [max] times
while (el.test(str) && ct++ < max) {
str = str.replace(/<form[^>]*?>[\s\S]*?<\/form>/gi, '')
.replace(/<input[^>]*?>[\s\S]*?<\/input>/gi, '')
.replace(/<\/?(?:form|input|font|blink)[^>]*?>/gi, '')
while (reg.test(str) && ct++ < max) {
for (var i = 0; i < otherTags.length; ++i) {
var tag = otherTags[i];
// 双闭合<a></a>
str = str.replace(new RegExp('<' + tag + '[^>]*?>[\\s\\S]*?<\\/' + tag + '>', 'gi'), '')
}
// 单个自闭合
str = str.replace(replageReg, '');
// str = str.replace(/<form[^>]*?>[\s\S]*?<\/form>/gi, '')
// .replace(/<applet[^>]*?>[\s\S]*?<\/applet>/gi, '')
// .replace(/<input[^>]*?>[\s\S]*?<\/input>/gi, '')
// .replace(/<\/?(?:form|input|font|blink)[^>]*?>/gi, '')
// These are XSS/security risks
.replace(/<script[^>]*?>[\s\S]*?<\/script>/gi, '')
.replace(/<(\/)*wbr[^>]*?>/gi, '')
.replace(/<style[^>]*?>[\s\S]*?<\/style>/gi, '') // shouldn't work anyway...
.replace(/<comment[^>]*?>[\s\S]*?<\/comment>/gi, '')
.replace(/<plaintext[^>]*?>[\s\S]*?<\/plaintext>/gi, '')
.replace(/<xmp[^>]*?>[\s\S]*?<\/xmp>/gi, '')
.replace(/<\/?(?:link|listing|meta|body|frame|frameset)[^>]*?>/gi, '')
// .replace(/<script[^>]*?>[\s\S]*?<\/script>/gi, '')
// .replace(/<(\/)*wbr[^>]*?>/gi, '')
// .replace(/<style[^>]*?>[\s\S]*?<\/style>/gi, '') // shouldn't work anyway...
// .replace(/<comment[^>]*?>[\s\S]*?<\/comment>/gi, '')
// .replace(/<plaintext[^>]*?>[\s\S]*?<\/plaintext>/gi, '')
// .replace(/<xmp[^>]*?>[\s\S]*?<\/xmp>/gi, '')
// .replace(/<\/?(?:link|listing|meta|body|frame|frameset)[^>]*?>/gi, '')
// Delete iframes, except those inserted by Google in lieu of video embeds
.replace(/<iframe(?![^>]*?src=("|')\S+?reader.googleusercontent.com\/reader\/embediframe.+?\1)[^>]*?>[\s\S]*?<\/iframe>/gi, '')
;
}
if (el.test(str)) {
// We couldn't safely strip the HTML, so we return an empty string
return '';
// .replace(/<iframe(?![^>]*?src=("|')\S+?reader.googleusercontent.com\/reader\/embediframe.+?\1)[^>]*?>[\s\S]*?<\/iframe>/gi, '')
// ;
}
// if (el.test(str)) {
// // We couldn't safely strip the HTML, so we return an empty string
// return '';
// }
return str;
}
module.exports.stripUnsafeTags = stripUnsafeTags;