Korbs/Squire
0
Fork 0
mirror of https://github.com/fastmail/Squire.git synced 2024-12-22 15:23:29 -05:00
Code Issues Activity

Use sanitizeToDOMFragment fn for undo/redo

Browse source 
The content should be safe anyway as it will already have been sanitised,
however mXSS attacks are still a slight risk so safer to always run it through
the sanitiser.
This commit is contained in:
Neil Jenkins 2021-02-05 14:26:38 +11:00
parent df2201038b
commit 108ff8f475
3 changed files with 20 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
build/squire-raw.js
View file

@ -1265,7 +1265,9 @@ var keys = {
37: 'left', 37: 'left',
39: 'right', 39: 'right',
46: 'delete', 46: 'delete',
191: '/',
219: '[', 219: '[',
220: '\\',
221: ']' 221: ']'
}; };
@ -3888,10 +3890,9 @@ var increaseBlockQuoteLevel = function ( frag ) {
}; };
var decreaseBlockQuoteLevel = function ( frag ) { var decreaseBlockQuoteLevel = function ( frag ) {
var root = this._root;
var blockquotes = frag.querySelectorAll( 'blockquote' ); var blockquotes = frag.querySelectorAll( 'blockquote' );
Array.prototype.filter.call( blockquotes, function ( el ) { Array.prototype.filter.call( blockquotes, function ( el ) {
return !getNearest( el.parentNode, root, 'BLOCKQUOTE' ); return !getNearest( el.parentNode, frag, 'BLOCKQUOTE' );
}).forEach( function ( el ) { }).forEach( function ( el ) {
replaceWith( el, empty( el ) ); replaceWith( el, empty( el ) );
}); });
@ -4172,7 +4173,14 @@ proto._getHTML = function () {
proto._setHTML = function ( html ) { proto._setHTML = function ( html ) {
var root = this._root; var root = this._root;
var node = root; var node = root;
var sanitizeToDOMFragment = this._config.sanitizeToDOMFragment;
if ( typeof sanitizeToDOMFragment === 'function' ) {
var frag = sanitizeToDOMFragment( html, false, this );
empty( node );
node.appendChild( frag );
} else {
node.innerHTML = html; node.innerHTML = html;
}
do { do {
fixCursor( node, root ); fixCursor( node, root );
} while ( node = getNextBlock( node, root ) ); } while ( node = getNextBlock( node, root ) );

2
build/squire.js
View file

File diff suppressed because one or more lines are too long

7
source/Editor.js
View file

@ -1600,7 +1600,14 @@ proto._getHTML = function () {
proto._setHTML = function ( html ) { proto._setHTML = function ( html ) {
var root = this._root; var root = this._root;
var node = root; var node = root;
var sanitizeToDOMFragment = this._config.sanitizeToDOMFragment;
if ( typeof sanitizeToDOMFragment === 'function' ) {
var frag = sanitizeToDOMFragment( html, false, this );
empty( node );
node.appendChild( frag );
} else {
node.innerHTML = html; node.innerHTML = html;
}
do { do {
fixCursor( node, root ); fixCursor( node, root );
} while ( node = getNextBlock( node, root ) ); } while ( node = getNextBlock( node, root ) );