Fixed HTML encode bugs #476 #649 etc.

6 years ago · e8eb6b094b
10 changed files with 994 additions and 918 deletions
--- a/README.md
+++ b/README.md
@ -197,7 +197,7 @@ Editor.md options and default values:
    tocDropdown          : false,          // Enable/disable Table Of Contents dropdown menu
    tocContainer         : "",             // Custom Table Of Contents Container Selector
    tocStartLevel        : 1,              // Said from H1 to create ToC
-    htmlDecode           : false,          // Open the HTML tag identification 
+    htmlDecode           : false,          // Open the HTML tag identification, If set String value expression : tagName,tagName,...|attrName,attrName,...
    pageBreak            : true,           // Enable parse page break [========]
    atLink               : true,           // for @link
    emailLink            : true,           // for email address auto link
--- a/editormd.amd.js
+++ b/editormd.amd.js
@ -222,7 +222,7 @@
        tocDropdown          : false,
        tocContainer         : "",
        tocStartLevel        : 1,              // Said from H1 to create ToC
-        htmlDecode           : false,          // Open the HTML tag identification
+        htmlDecode           : false,          // Open the HTML tag identification, If set String value expression : tagName,tagName,...|attrName,attrName,...
        pageBreak            : true,           // Enable parse page break [========]
        atLink               : true,           // for @link
        emailLink            : true,           // for email address auto link
@ -1996,7 +1996,7 @@
                        tocMenu.remove();
                    }

-                    editormd.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel);
+                    editormd.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel, markedOptions.renderer);

                    if (settings.tocDropdown || tocContainer.find("." + this.classPrefix + "toc-menu").length > 0) {
                        editormd.tocDropdownMenu(tocContainer, (settings.tocTitle !== "") ? settings.tocTitle : this.lang.tocTitle);
@ -3459,6 +3459,10 @@

            var headingHTML = "<h" + level + " id=\"h"+ level + "-" + this.options.headerPrefix + id +"\">";

+            // fixed https://github.com/pandao/editor.md/issues/476
+            // fixed https://github.com/pandao/editor.md/issues/649
+            text = text.replace(/(<([^>]+)>)/ig, ""); // /<[^>]*>/g
+
            headingHTML    += "<a name=\"" + text + "\" class=\"reference-link\"></a>";
            headingHTML    += "<span class=\"header-link octicon octicon-link\"></span>";
            headingHTML    += (hasLinkReg) ? this.atLink(this.emoji(linkText)) : this.atLink(this.emoji(text));
@ -3537,10 +3541,12 @@
     * @param   {Array}    toc             从marked获取的TOC数组列表
     * @param   {Element}  container       插入TOC的容器元素
     * @param   {Integer}  startLevel      Hx 起始层级
+     * @param   {object}   markedRenderer  Marked Renderer
     * @returns {Object}   tocContainer    返回ToC列表容器层的jQuery对象元素
     */

-    editormd.markdownToCRenderer = function(toc, container, tocDropdown, startLevel) {
+    editormd.markdownToCRenderer = function(toc, container, tocDropdown, startLevel, markedRenderer) {
+        markedRenderer = markedRenderer || null;

        var html        = "";
        var lastLevel   = 0;
@ -3564,7 +3570,15 @@
                html += "</ul></li>";
            }

-            html += "<li><a class=\"toc-level-" + level + "\" href=\"#" + text + "\" level=\"" + level + "\">" + text + "</a><ul>";
+            // fixed https://github.com/pandao/editor.md/issues/476
+            // fixed https://github.com/pandao/editor.md/issues/649
+            var href = text.replace(/(<([^>]+)>)/ig, ""); // /<[^>]*>/g
+
+            if (markedRenderer) {
+                text = markedRenderer.emoji(text); // Fixed Heading can't has emoji code
+            }
+
+            html += "<li><a class=\"toc-level-" + level + "\" href=\"#" + href + "\" level=\"" + level + "\">" + text + "</a><ul>";
            lastLevel = level;
        }

@ -3682,7 +3696,7 @@
        }

        if (typeof attrs !== "undefined") {
-            var htmlTagRegex = /\<(\w+)\s*([^\>]*)\>([^\>]*)\<\/(\w+)\>/ig;
+            var htmlTagRegex = /\<(\w+)\s*([^\/\>]*)\>([^\>]*)\<\/(\w+)\>/ig;

            if (attrs === "*") {
                html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) {
@ -3697,6 +3711,11 @@
                    $.each(_attrs, function(i, e) {
                        if (e.nodeName !== "\"") {
                            $attrs[e.nodeName] = e.nodeValue;
+
+                            // Fixed like <a href="javascript:alert('xss')"></a> XSS problem, Copy from pull request #532
+                            if (e.nodeName === "href" && e.nodeValue.toLowerCase().indexOf("javascript:") >= 0) {
+                                $attrs[e.nodeName] = "javascript:;";
+                            }
                        }
                    });

@ -3828,7 +3847,7 @@
        }

        if (settings.toc) {
-            div.tocContainer = this.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel);
+            div.tocContainer = this.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel, markedOptions.renderer);

            if (settings.tocDropdown || div.find("." + this.classPrefix + "toc-menu").length > 0) {
                this.tocDropdownMenu(div, settings.tocTitle);
--- a/editormd.amd.min.js
+++ b/editormd.amd.min.js
--- a/editormd.js
+++ b/editormd.js
@ -152,7 +152,7 @@
        tocDropdown          : false,
        tocContainer         : "",
        tocStartLevel        : 1,              // Said from H1 to create ToC
-        htmlDecode           : false,          // Open the HTML tag identification
+        htmlDecode           : false,          // Open the HTML tag identification, If set String value expression : tagName,tagName,...|attrName,attrName,...
        pageBreak            : true,           // Enable parse page break [========]
        atLink               : true,           // for @link
        emailLink            : true,           // for email address auto link
@ -1926,7 +1926,7 @@
                        tocMenu.remove();
                    }

-                    editormd.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel);
+                    editormd.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel, markedOptions.renderer);

                    if (settings.tocDropdown || tocContainer.find("." + this.classPrefix + "toc-menu").length > 0) {
                        editormd.tocDropdownMenu(tocContainer, (settings.tocTitle !== "") ? settings.tocTitle : this.lang.tocTitle);
@ -3389,6 +3389,10 @@

            var headingHTML = "<h" + level + " id=\"h"+ level + "-" + this.options.headerPrefix + id +"\">";

+            // fixed https://github.com/pandao/editor.md/issues/476
+            // fixed https://github.com/pandao/editor.md/issues/649
+            text = text.replace(/(<([^>]+)>)/ig, ""); // /<[^>]*>/g
+
            headingHTML    += "<a name=\"" + text + "\" class=\"reference-link\"></a>";
            headingHTML    += "<span class=\"header-link octicon octicon-link\"></span>";
            headingHTML    += (hasLinkReg) ? this.atLink(this.emoji(linkText)) : this.atLink(this.emoji(text));
@ -3467,10 +3471,12 @@
     * @param   {Array}    toc             从marked获取的TOC数组列表
     * @param   {Element}  container       插入TOC的容器元素
     * @param   {Integer}  startLevel      Hx 起始层级
+     * @param   {object}   markedRenderer  Marked Renderer
     * @returns {Object}   tocContainer    返回ToC列表容器层的jQuery对象元素
     */

-    editormd.markdownToCRenderer = function(toc, container, tocDropdown, startLevel) {
+    editormd.markdownToCRenderer = function(toc, container, tocDropdown, startLevel, markedRenderer) {
+        markedRenderer = markedRenderer || null;

        var html        = "";
        var lastLevel   = 0;
@ -3494,7 +3500,15 @@
                html += "</ul></li>";
            }

-            html += "<li><a class=\"toc-level-" + level + "\" href=\"#" + text + "\" level=\"" + level + "\">" + text + "</a><ul>";
+            // fixed https://github.com/pandao/editor.md/issues/476
+            // fixed https://github.com/pandao/editor.md/issues/649
+            var href = text.replace(/(<([^>]+)>)/ig, ""); // /<[^>]*>/g
+
+            if (markedRenderer) {
+                text = markedRenderer.emoji(text); // Fixed Heading can't has emoji code
+            }
+
+            html += "<li><a class=\"toc-level-" + level + "\" href=\"#" + href + "\" level=\"" + level + "\">" + text + "</a><ul>";
            lastLevel = level;
        }

@ -3612,7 +3626,7 @@
        }

        if (typeof attrs !== "undefined") {
-            var htmlTagRegex = /\<(\w+)\s*([^\>]*)\>([^\>]*)\<\/(\w+)\>/ig;
+            var htmlTagRegex = /\<(\w+)\s*([^\/\>]*)\>([^\>]*)\<\/(\w+)\>/ig;

            if (attrs === "*") {
                html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) {
@ -3627,6 +3641,11 @@
                    $.each(_attrs, function(i, e) {
                        if (e.nodeName !== "\"") {
                            $attrs[e.nodeName] = e.nodeValue;
+
+                            // Fixed like <a href="javascript:alert('xss')"></a> XSS problem, Copy from pull request #532
+                            if (e.nodeName === "href" && e.nodeValue.toLowerCase().indexOf("javascript:") >= 0) {
+                                $attrs[e.nodeName] = "javascript:;";
+                            }
                        }
                    });

@ -3758,7 +3777,7 @@
        }

        if (settings.toc) {
-            div.tocContainer = this.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel);
+            div.tocContainer = this.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel, markedOptions.renderer);

            if (settings.tocDropdown || div.find("." + this.classPrefix + "toc-menu").length > 0) {
                this.tocDropdownMenu(div, settings.tocTitle);
--- a/editormd.min.js
+++ b/editormd.min.js
--- a/examples/html-tags-decode.html
+++ b/examples/html-tags-decode.html
@ -22,7 +22,9 @@
                <button class="filter-btn" exp="style,script,iframe|onclick,title,onmouseover,onmouseout,style">Filter style,script,iframe|onclick,title,onmouseover,onmouseout,style</button>
            </div>
            <div id="test-editormd">
-                <textarea style="display:none;">#### 开启识别和解析 HTML 标签
+                <textarea style="display:none;">[TOC]
+
+#### 开启识别和解析 HTML 标签

 配置项：

@ -56,7 +58,19 @@ alert("script");
 &lt;iframe height=498 width=510 src="http://player.youku.com/embed/XMzA0MzIwMDgw" frameborder=0 allowfullscreen&gt;&lt;/iframe&gt;
 ```

-##### Style
+#### **Strong text** Test
+
+##### Image
+
+&lt;img src="http://editor.md.ipandao.com/images/logos/editormd-logo-64x64.png"/&gt;
+
+&lt;a href="https://github.com/pandao/editor.md"&gt;&lt;img src="http://editor.md.ipandao.com/images/logos/editormd-logo-64x64.png"/&gt;&lt/a&gt;
+
+[![](http://editor.md.ipandao.com/images/logos/editormd-logo-64x64.png)](https://github.com/pandao/editor.md)
+
+:sweat_smile: :blush: :smiley: :relaxed: :smile: [:laughing:](https://github.com/pandao/editor.md)
+
+##### Style :sweat_smile:

 &lt;style&gt;
 body{background:red;}
@ -76,6 +90,8 @@ alert("script");
 alert("script");
 &lt;/script&gt;

+&lt;a href="javascript:alert('xss')"&gt;a javascript:alert("xss")&lt;/a&gt;
+
 ##### Events

 &lt;div style="color:green;" onclick="alert(1233);" title="div xxxxx"&gt;Events&lt;/div&gt;
@ -103,10 +119,11 @@ alert("script");
                    width: "90%",
                    height: 720,
                    path : '../lib/',
+                    emoji: true,
                    htmlDecode : true,   // Decode all html tags & attributes
                    // Expression : tagName,tagName,...|attrName,attrName,...
-                    //htmlDecode : "style,script,iframe,sub,sup|on*"  // Filter tags, and all on* attributes
-                    //htmlDecode : "style,script,iframe,sub,sup|*"    // Filter tags, and all attributes
+                    htmlDecode : "style,script,iframe,sub,sup|on*"  // Filter tags, and all on* attributes
+                    // htmlDecode : "style,script,iframe,sub,sup|*"    // Filter tags, and all attributes, TOC not parsing
                    //htmlDecode : "style,script,iframe,sub,sup,embed|onclick,title,onmouseover,onmouseout,style" // Filter tags, and your custom attributes
                });

--- a/examples/test.md
+++ b/examples/test.md
@ -270,13 +270,15 @@ X&sup2; Y&sup3; &frac34; &frac14;  &times;  &divide;   &raquo;

 18&ordm;C  &quot;  &apos;

+#### **简要描述**
+
 [========]

 ### Emoji表情 :smiley:

 > Blockquotes :star:

-#### GFM task lists & Emoji & fontAwesome icon emoji & editormd logo emoji :editormd-logo-5x:
+#### GFM task lists & Emoji & fontAwesome icon emoji & editormd logo emoji :editormd-logo-2x:

 - [x] :smiley: @mentions, :smiley: #refs, [links](), **formatting**, and <del>tags</del> supported :editormd-logo:;
 - [x] list syntax required (any unordered or ordered list supported) :editormd-logo-3x:;
--- a/lib/codemirror/modes.min.js
+++ b/lib/codemirror/modes.min.js
--- a/src/editormd.js
+++ b/src/editormd.js
@ -140,7 +140,7 @@
        tocDropdown          : false,
        tocContainer         : "",
        tocStartLevel        : 1,              // Said from H1 to create ToC
-        htmlDecode           : false,          // Open the HTML tag identification
+        htmlDecode           : false,          // Open the HTML tag identification, If set String value expression : tagName,tagName,...|attrName,attrName,...
        pageBreak            : true,           // Enable parse page break [========]
        atLink               : true,           // for @link
        emailLink            : true,           // for email address auto link
@ -1914,7 +1914,7 @@
                        tocMenu.remove();
                    }

-                    editormd.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel);
+                    editormd.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel, markedOptions.renderer);

                    if (settings.tocDropdown || tocContainer.find("." + this.classPrefix + "toc-menu").length > 0) {
                        editormd.tocDropdownMenu(tocContainer, (settings.tocTitle !== "") ? settings.tocTitle : this.lang.tocTitle);
@ -3377,6 +3377,10 @@

            var headingHTML = "<h" + level + " id=\"h"+ level + "-" + this.options.headerPrefix + id +"\">";

+            // fixed https://github.com/pandao/editor.md/issues/476
+            // fixed https://github.com/pandao/editor.md/issues/649
+            text = text.replace(/(<([^>]+)>)/ig, ""); // /<[^>]*>/g
+
            headingHTML    += "<a name=\"" + text + "\" class=\"reference-link\"></a>";
            headingHTML    += "<span class=\"header-link octicon octicon-link\"></span>";
            headingHTML    += (hasLinkReg) ? this.atLink(this.emoji(linkText)) : this.atLink(this.emoji(text));
@ -3455,10 +3459,12 @@
     * @param   {Array}    toc             从marked获取的TOC数组列表
     * @param   {Element}  container       插入TOC的容器元素
     * @param   {Integer}  startLevel      Hx 起始层级
+     * @param   {object}   markedRenderer  Marked Renderer
     * @returns {Object}   tocContainer    返回ToC列表容器层的jQuery对象元素
     */

-    editormd.markdownToCRenderer = function(toc, container, tocDropdown, startLevel) {
+    editormd.markdownToCRenderer = function(toc, container, tocDropdown, startLevel, markedRenderer) {
+        markedRenderer = markedRenderer || null;

        var html        = "";
        var lastLevel   = 0;
@ -3482,7 +3488,15 @@
                html += "</ul></li>";
            }

-            html += "<li><a class=\"toc-level-" + level + "\" href=\"#" + text + "\" level=\"" + level + "\">" + text + "</a><ul>";
+            // fixed https://github.com/pandao/editor.md/issues/476
+            // fixed https://github.com/pandao/editor.md/issues/649
+            var href = text.replace(/(<([^>]+)>)/ig, ""); // /<[^>]*>/g
+
+            if (markedRenderer) {
+                text = markedRenderer.emoji(text); // Fixed Heading can't has emoji code
+            }
+
+            html += "<li><a class=\"toc-level-" + level + "\" href=\"#" + href + "\" level=\"" + level + "\">" + text + "</a><ul>";
            lastLevel = level;
        }

@ -3600,7 +3614,7 @@
        }

        if (typeof attrs !== "undefined") {
-            var htmlTagRegex = /\<(\w+)\s*([^\>]*)\>([^\>]*)\<\/(\w+)\>/ig;
+            var htmlTagRegex = /\<(\w+)\s*([^\/\>]*)\>([^\>]*)\<\/(\w+)\>/ig;

            if (attrs === "*") {
                html = html.replace(htmlTagRegex, function($1, $2, $3, $4, $5) {
@ -3615,6 +3629,11 @@
                    $.each(_attrs, function(i, e) {
                        if (e.nodeName !== "\"") {
                            $attrs[e.nodeName] = e.nodeValue;
+
+                            // Fixed like <a href="javascript:alert('xss')"></a> XSS problem, Copy from pull request #532
+                            if (e.nodeName === "href" && e.nodeValue.toLowerCase().indexOf("javascript:") >= 0) {
+                                $attrs[e.nodeName] = "javascript:;";
+                            }
                        }
                    });

@ -3746,7 +3765,7 @@
        }

        if (settings.toc) {
-            div.tocContainer = this.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel);
+            div.tocContainer = this.markdownToCRenderer(markdownToC, tocContainer, settings.tocDropdown, settings.tocStartLevel, markedOptions.renderer);

            if (settings.tocDropdown || div.find("." + this.classPrefix + "toc-menu").length > 0) {
                this.tocDropdownMenu(div, settings.tocTitle);