erp5_core: html viewer: whitelist some inline style attributes

2e848aa5 · Romain Courteaud · 92eb61dc · 2e848aa5
Commit 2e848aa5 authored Feb 25, 2021 by Romain Courteaud
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 0 deletions

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/gadget_html_viewer.js.js ...plateItem/portal_skins/erp5_core/gadget_html_viewer.js.js +52 -0

No files found.
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/gadget_html_viewer.js.js
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/gadget_html_viewer.js.js
@@ -3,6 +3,7 @@
 (function (window, rJS, domsugar, document, DOMParser, NodeFilter) {
  "use strict";

+/*
  function startsWithOneOf(str, prefix_list) {
    var i;
    for (i = prefix_list.length - 1; i >= 0; i -= 1) {
@@ -12,6 +13,7 @@
    }
    return false;
  }
+*/

  var whitelist = {
    node_list: {
@@ -90,6 +92,30 @@
      border: true,
      colspan: true
    },
+    style_list: {
+      background: true,
+      'background-color': true,
+      border: true,
+      color: true,
+      content: true,
+      cursor: true,
+      float: true,
+      'font-style': true,
+      'font-weight': true,
+      height: true,
+      margin: true,
+      'margin-left': true,
+      'margin-right': true,
+      'margin-top': true,
+      'margin-bottom': true,
+      'max-width': true,
+      padding: true,
+      'padding-left': true,
+      'padding-right': true,
+      'padding-top': true,
+      'padding-bottom': true,
+      width: true
+    },
    link_node_list: {
      A: true,
      IMG: true,
@@ -139,6 +165,7 @@
      attribute_list,
      len,
      link_len,
+      style,
      already_dropped,
      finished = false;

@@ -164,6 +191,16 @@
          keepOnlyChildren(current_node);

        } else {
+          // Keep the style attribute, which is forbidden by CSP
+          // which is a good thing, as it prevents injecting <style> element
+          style = undefined;
+          attribute = 'style';
+          if (current_node.hasAttribute(attribute)) {
+            style = current_node.getAttribute(attribute);
+            // Prevent anybody to put style in the allowed attribute_list
+            current_node.removeAttribute(attribute);
+          }
+
          // Cleanup attributes
          attribute_list = current_node.attributes;
          len = attribute_list.length;
@@ -175,6 +212,21 @@
            }
          }

+          // Restore the style
+          if (style !== undefined) {
+            current_node.style = style;
+            // And drop not allowed style attributes
+            attribute_list = current_node.style;
+            len = attribute_list.length;
+            while (len !== 0) {
+              len = len - 1;
+              attribute = attribute_list[len];
+              if (!whitelist.style_list[attribute]) {
+                current_node.style[attribute] = null;
+              }
+            }
+          }
+
          // Cleanup links
          attribute_list = current_node.attributes;
          len = attribute_list.length;