Merge pull request #3405 from sebgie/issue#3387

Add XSS prevention

Gruntfile.js

@@ -443,6 +443,7 @@ var path           = require('path'),
                         'bower_components/nprogress/nprogress.js',
                         'bower_components/ember-simple-auth/simple-auth.js',
                         'bower_components/ember-simple-auth/simple-auth-oauth2.js',
+                        'bower_components/google-caja/html-css-sanitizer-bundle.js',
 
                         'core/shared/lib/showdown/extensions/ghostimagepreview.js',
                         'core/shared/lib/showdown/extensions/ghostgfm.js'
@@ -475,8 +476,9 @@ var path           = require('path'),
                         'bower_components/jquery-file-upload/js/jquery.fileupload.js',
                         'bower_components/fastclick/lib/fastclick.js',
                         'bower_components/nprogress/nprogress.js',
-                        'bower_components/ember-simple-auth/ember-simple-auth.js',
+                        'bower_components/ember-simple-auth/simple-auth.js',
-                        'bower_components/ember-simple-auth/ember-simple-auth-oauth2.js',
+                        'bower_components/ember-simple-auth/simple-auth-oauth2.js',
+                        'bower_components/google-caja/html-css-sanitizer-bundle.js',
 
                         'core/shared/lib/showdown/extensions/ghostimagepreview.js',
                         'core/shared/lib/showdown/extensions/ghostgfm.js'

bower.json

@@ -23,6 +23,7 @@
     "moment": "2.4.0",
     "nprogress": "0.1.2",
     "showdown": "git://github.com/ErisDS/showdown.git#v0.3.2-ghost",
-    "validator-js": "3.4.0"
+    "validator-js": "3.4.0",
+    "google-caja": "5669.0.0"
   }
 }

core/client/helpers/gh-format-html.js

@@ -0,0 +1,18 @@
+/* global Handlebars, html_sanitize*/
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
+
+var formatHTML = Ember.Handlebars.makeBoundHelper(function (html) {
+    var escapedhtml = html || '';
+
+    // replace script and iFrame
+    escapedhtml = escapedhtml.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+        '<pre><code>Embedded JavaScript</code></pre>');
+    escapedhtml = escapedhtml.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
+        '<pre><code>Embedded IFrame</code></pre>');
+
+    // sanitize HTML
+    escapedhtml = html_sanitize(escapedhtml, cajaSanitizers.url, cajaSanitizers.id);
+    return new Handlebars.SafeString(escapedhtml);
+});
+
+export default formatHTML;

core/client/helpers/gh-format-markdown.js

@@ -1,8 +1,21 @@
-/* global Showdown, Handlebars */
+/* global Showdown, Handlebars, html_sanitize*/
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
+
 var showdown = new Showdown.converter({extensions: ['ghostimagepreview', 'ghostgfm']});
 
 var formatMarkdown = Ember.Handlebars.makeBoundHelper(function (markdown) {
-    return new Handlebars.SafeString(showdown.makeHtml(markdown || ''));
+    var html = '';
+
+    // replace script and iFrame
+    markdown = markdown.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '```\nEmbedded JavaScript\n```');
+    markdown = markdown.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, '```\nEmbedded IFrame\n```');
+
+    // convert markdown to HTML
+    html = showdown.makeHtml(markdown || '');
+
+    // sanitize html
+    html = html_sanitize(html, cajaSanitizers.url, cajaSanitizers.id);
+    return new Handlebars.SafeString(html);
 });
 
 export default formatMarkdown;

core/client/templates/posts/post.hbs

@@ -2,7 +2,7 @@
 
 {{#view "content-preview-content-view" tagName="section"}}
     <div class="wrapper">
-        <h1>{{{title}}}</h1>
+        <h1>{{title}}</h1>
-        {{{html}}}
+        {{gh-format-html html}}
     </div>
 {{/view}}

core/client/utils/caja-sanitizers.js

@@ -0,0 +1,29 @@
+/**
+ * google-caja uses url() and id() to verify if the values are allowed.
+ */
+var url,
+    id;
+
+/**
+ * Check if URL is allowed
+ * URLs are allowed if they start with http://, https://, or /.
+ */
+var url = function (url) {
+	url = url.toString().replace(/['"]+/g, '');
+    if (/^https?:\/\//.test(url) || /^\//.test(url)) {
+        return url;
+    }
+};
+
+/**
+ * Check if ID is allowed
+ * All ids are allowed at the moment.
+ */
+var id = function (id) {
+    return id;
+};
+
+export default {
+    url: url,
+    id: id
+};

core/test/functional/client/editor_test.js

@@ -172,7 +172,7 @@ CasperTest.begin('Image Uploads', 17, function suite(test) {
         test.assertUrlMatch(/ghost\/editor\/$/, 'Landed on the correct URL');
     });
 
-    var testFileLocation = 'test/file/location';
+    var testFileLocation = '/test/file/location';
 
     casper.then(function () {
         var markdownImageString = '![](' + testFileLocation + ')';
@@ -203,7 +203,7 @@ CasperTest.begin('Image Uploads', 17, function suite(test) {
         casper.thenClick('.entry-preview .image-uploader a.image-url');
     });
 
-    var imageURL = 'random.url';
+    var imageURL = 'http://www.random.url';
     casper.waitForSelector('.image-uploader-url', function onSuccess() {
         casper.sendKeys('.image-uploader-url input.url.js-upload-url', imageURL);
         casper.thenClick('.js-button-accept.button-save');