0
Fork 0
mirror of https://github.com/fastmail/Squire.git synced 2025-01-18 04:32:28 -05:00

Fix potential null deref when sanitizing html

This commit is contained in:
Neil Jenkins 2016-12-13 12:15:35 +11:00
parent 1c2359550d
commit e35ad32c09
4 changed files with 18 additions and 16 deletions

View file

@ -55,8 +55,8 @@ You can override this by setting properties on the config object (the second arg
* **isSetHTMLSanitized**: `Boolean` * **isSetHTMLSanitized**: `Boolean`
Should the HTML passed via calls to `setHTML` be passed to the sanitizer? If your app always sanitizes the HTML in some other way before calling this, you may wish to set this to `false` to avoid the overhead. Should the HTML passed via calls to `setHTML` be passed to the sanitizer? If your app always sanitizes the HTML in some other way before calling this, you may wish to set this to `false` to avoid the overhead.
* **isInsertedHTMLSanitized**: `Boolean` (defaults to `true`) Should the HTML passed via calls to `insertHTML` be passed to the sanitizer? This includes when the user pastes from the clipboard. Since you cannot control what other apps put on the clipboard, it is highly recommended you do not set this to `false`. * **isInsertedHTMLSanitized**: `Boolean` (defaults to `true`) Should the HTML passed via calls to `insertHTML` be passed to the sanitizer? This includes when the user pastes from the clipboard. Since you cannot control what other apps put on the clipboard, it is highly recommended you do not set this to `false`.
* **sanitizeToDOMFragment**: `(html: String, isPaste: Boolean) -> DOMFragment` * **sanitizeToDOMFragment**: `(html: String, isPaste: Boolean, self: Squire) -> DOMFragment`
A custom sanitization function. This will be called instead of the default call to DOMPurify to sanitize the potentially dangerous HTML. It is passed two arguments: the first is the string of HTML, the second is a boolean indicating if this content has come from the clipboard, rather than an explicit call by your own code. It must return a DOM Fragment node belonging to the same document as the editor's root node, with the contents being clean DOM nodes to set/insert. A custom sanitization function. This will be called instead of the default call to DOMPurify to sanitize the potentially dangerous HTML. It is passed three arguments: the first is the string of HTML, the second is a boolean indicating if this content has come from the clipboard, rather than an explicit call by your own code, the third is the squire instance. It must return a DOM Fragment node belonging to the same document as the editor's root node, with the contents being clean DOM nodes to set/insert.
Advanced usage Advanced usage
-------------- --------------

View file

@ -2561,13 +2561,14 @@ function Squire ( root, config ) {
var proto = Squire.prototype; var proto = Squire.prototype;
var sanitizeToDOMFragment = function ( html/*, isPaste*/ ) { var sanitizeToDOMFragment = function ( html, isPaste, self ) {
var frag = DOMPurify.sanitize( html, { var doc = self._doc;
var frag = html ? DOMPurify.sanitize( html, {
WHOLE_DOCUMENT: false, WHOLE_DOCUMENT: false,
RETURN_DOM: true, RETURN_DOM: true,
RETURN_DOM_FRAGMENT: true RETURN_DOM_FRAGMENT: true
}); }) : null;
return doc.importNode( frag, true ); return frag ? doc.importNode( frag, true ) : doc.createDocumentFragment();
}; };
proto.setConfig = function ( config ) { proto.setConfig = function ( config ) {
@ -3994,7 +3995,7 @@ proto.setHTML = function ( html ) {
// Parse HTML into DOM tree // Parse HTML into DOM tree
if ( typeof sanitizeToDOMFragment === 'function' ) { if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, false ); frag = sanitizeToDOMFragment( html, false, this );
} else { } else {
div = this.createElement( 'DIV' ); div = this.createElement( 'DIV' );
div.innerHTML = html; div.innerHTML = html;
@ -4147,7 +4148,7 @@ proto.insertHTML = function ( html, isPaste ) {
// including the full <head> of the page. Need to strip this out. If // including the full <head> of the page. Need to strip this out. If
// available use DOMPurify to parse and sanitise. // available use DOMPurify to parse and sanitise.
if ( typeof sanitizeToDOMFragment === 'function' ) { if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, isPaste ); frag = sanitizeToDOMFragment( html, isPaste, this );
} else { } else {
if ( isPaste ) { if ( isPaste ) {
startFragmentIndex = html.indexOf( '<!--StartFragment-->' ); startFragmentIndex = html.indexOf( '<!--StartFragment-->' );

File diff suppressed because one or more lines are too long

View file

@ -149,13 +149,14 @@ function Squire ( root, config ) {
var proto = Squire.prototype; var proto = Squire.prototype;
var sanitizeToDOMFragment = function ( html/*, isPaste*/ ) { var sanitizeToDOMFragment = function ( html, isPaste, self ) {
var frag = DOMPurify.sanitize( html, { var doc = self._doc;
var frag = html ? DOMPurify.sanitize( html, {
WHOLE_DOCUMENT: false, WHOLE_DOCUMENT: false,
RETURN_DOM: true, RETURN_DOM: true,
RETURN_DOM_FRAGMENT: true RETURN_DOM_FRAGMENT: true
}); }) : null;
return doc.importNode( frag, true ); return frag ? doc.importNode( frag, true ) : doc.createDocumentFragment();
}; };
proto.setConfig = function ( config ) { proto.setConfig = function ( config ) {
@ -1582,7 +1583,7 @@ proto.setHTML = function ( html ) {
// Parse HTML into DOM tree // Parse HTML into DOM tree
if ( typeof sanitizeToDOMFragment === 'function' ) { if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, false ); frag = sanitizeToDOMFragment( html, false, this );
} else { } else {
div = this.createElement( 'DIV' ); div = this.createElement( 'DIV' );
div.innerHTML = html; div.innerHTML = html;
@ -1735,7 +1736,7 @@ proto.insertHTML = function ( html, isPaste ) {
// including the full <head> of the page. Need to strip this out. If // including the full <head> of the page. Need to strip this out. If
// available use DOMPurify to parse and sanitise. // available use DOMPurify to parse and sanitise.
if ( typeof sanitizeToDOMFragment === 'function' ) { if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, isPaste ); frag = sanitizeToDOMFragment( html, isPaste, this );
} else { } else {
if ( isPaste ) { if ( isPaste ) {
startFragmentIndex = html.indexOf( '<!--StartFragment-->' ); startFragmentIndex = html.indexOf( '<!--StartFragment-->' );