Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
erp5
Commits
2e848aa5
Commit
2e848aa5
authored
Feb 25, 2021
by
Romain Courteaud
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
erp5_core: html viewer: whitelist some inline style attributes
parent
92eb61dc
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
52 additions
and
0 deletions
+52
-0
product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/gadget_html_viewer.js.js
...plateItem/portal_skins/erp5_core/gadget_html_viewer.js.js
+52
-0
No files found.
product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/gadget_html_viewer.js.js
View file @
2e848aa5
...
@@ -3,6 +3,7 @@
...
@@ -3,6 +3,7 @@
(
function
(
window
,
rJS
,
domsugar
,
document
,
DOMParser
,
NodeFilter
)
{
(
function
(
window
,
rJS
,
domsugar
,
document
,
DOMParser
,
NodeFilter
)
{
"
use strict
"
;
"
use strict
"
;
/*
function startsWithOneOf(str, prefix_list) {
function startsWithOneOf(str, prefix_list) {
var i;
var i;
for (i = prefix_list.length - 1; i >= 0; i -= 1) {
for (i = prefix_list.length - 1; i >= 0; i -= 1) {
...
@@ -12,6 +13,7 @@
...
@@ -12,6 +13,7 @@
}
}
return false;
return false;
}
}
*/
var
whitelist
=
{
var
whitelist
=
{
node_list
:
{
node_list
:
{
...
@@ -90,6 +92,30 @@
...
@@ -90,6 +92,30 @@
border
:
true
,
border
:
true
,
colspan
:
true
colspan
:
true
},
},
style_list
:
{
background
:
true
,
'
background-color
'
:
true
,
border
:
true
,
color
:
true
,
content
:
true
,
cursor
:
true
,
float
:
true
,
'
font-style
'
:
true
,
'
font-weight
'
:
true
,
height
:
true
,
margin
:
true
,
'
margin-left
'
:
true
,
'
margin-right
'
:
true
,
'
margin-top
'
:
true
,
'
margin-bottom
'
:
true
,
'
max-width
'
:
true
,
padding
:
true
,
'
padding-left
'
:
true
,
'
padding-right
'
:
true
,
'
padding-top
'
:
true
,
'
padding-bottom
'
:
true
,
width
:
true
},
link_node_list
:
{
link_node_list
:
{
A
:
true
,
A
:
true
,
IMG
:
true
,
IMG
:
true
,
...
@@ -139,6 +165,7 @@
...
@@ -139,6 +165,7 @@
attribute_list
,
attribute_list
,
len
,
len
,
link_len
,
link_len
,
style
,
already_dropped
,
already_dropped
,
finished
=
false
;
finished
=
false
;
...
@@ -164,6 +191,16 @@
...
@@ -164,6 +191,16 @@
keepOnlyChildren
(
current_node
);
keepOnlyChildren
(
current_node
);
}
else
{
}
else
{
// Keep the style attribute, which is forbidden by CSP
// which is a good thing, as it prevents injecting <style> element
style
=
undefined
;
attribute
=
'
style
'
;
if
(
current_node
.
hasAttribute
(
attribute
))
{
style
=
current_node
.
getAttribute
(
attribute
);
// Prevent anybody to put style in the allowed attribute_list
current_node
.
removeAttribute
(
attribute
);
}
// Cleanup attributes
// Cleanup attributes
attribute_list
=
current_node
.
attributes
;
attribute_list
=
current_node
.
attributes
;
len
=
attribute_list
.
length
;
len
=
attribute_list
.
length
;
...
@@ -175,6 +212,21 @@
...
@@ -175,6 +212,21 @@
}
}
}
}
// Restore the style
if
(
style
!==
undefined
)
{
current_node
.
style
=
style
;
// And drop not allowed style attributes
attribute_list
=
current_node
.
style
;
len
=
attribute_list
.
length
;
while
(
len
!==
0
)
{
len
=
len
-
1
;
attribute
=
attribute_list
[
len
];
if
(
!
whitelist
.
style_list
[
attribute
])
{
current_node
.
style
[
attribute
]
=
null
;
}
}
}
// Cleanup links
// Cleanup links
attribute_list
=
current_node
.
attributes
;
attribute_list
=
current_node
.
attributes
;
len
=
attribute_list
.
length
;
len
=
attribute_list
.
length
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment