Korbs/Squire
0
Fork 0
mirror of https://github.com/fastmail/Squire.git synced 2024-12-22 15:23:29 -05:00
Code Issues Activity

Fix potential null deref when sanitizing html

Browse source
This commit is contained in:
Neil Jenkins 2016-12-13 12:15:35 +11:00
parent 1c2359550d
commit e35ad32c09
4 changed files with 18 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -55,8 +55,8 @@ You can override this by setting properties on the config object (the second arg
* **isSetHTMLSanitized**: `Boolean`
Should the HTML passed via calls to `setHTML` be passed to the sanitizer? If your app always sanitizes the HTML in some other way before calling this, you may wish to set this to `false` to avoid the overhead.
* **isInsertedHTMLSanitized**: `Boolean` (defaults to `true`) Should the HTML passed via calls to `insertHTML` be passed to the sanitizer? This includes when the user pastes from the clipboard. Since you cannot control what other apps put on the clipboard, it is highly recommended you do not set this to `false`.
* **sanitizeToDOMFragment**: `(html: String, isPaste: Boolean) -> DOMFragment`
A custom sanitization function. This will be called instead of the default call to DOMPurify to sanitize the potentially dangerous HTML. It is passed two arguments: the first is the string of HTML, the second is a boolean indicating if this content has come from the clipboard, rather than an explicit call by your own code. It must return a DOM Fragment node belonging to the same document as the editor's root node, with the contents being clean DOM nodes to set/insert.
* **sanitizeToDOMFragment**: `(html: String, isPaste: Boolean, self: Squire) -> DOMFragment`
A custom sanitization function. This will be called instead of the default call to DOMPurify to sanitize the potentially dangerous HTML. It is passed three arguments: the first is the string of HTML, the second is a boolean indicating if this content has come from the clipboard, rather than an explicit call by your own code, the third is the squire instance. It must return a DOM Fragment node belonging to the same document as the editor's root node, with the contents being clean DOM nodes to set/insert.
Advanced usage
--------------

13
build/squire-raw.js
View file

@ -2561,13 +2561,14 @@ function Squire ( root, config ) {
var proto = Squire.prototype;
var sanitizeToDOMFragment = function ( html/*, isPaste*/ ) {
var frag = DOMPurify.sanitize( html, {
var sanitizeToDOMFragment = function ( html, isPaste, self ) {
var doc = self._doc;
var frag = html ? DOMPurify.sanitize( html, {
WHOLE_DOCUMENT: false,
RETURN_DOM: true,
RETURN_DOM_FRAGMENT: true
});
return doc.importNode( frag, true );
}) : null;
return frag ? doc.importNode( frag, true ) : doc.createDocumentFragment();
};
proto.setConfig = function ( config ) {
@ -3994,7 +3995,7 @@ proto.setHTML = function ( html ) {
// Parse HTML into DOM tree
if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, false );
frag = sanitizeToDOMFragment( html, false, this );
} else {
div = this.createElement( 'DIV' );
div.innerHTML = html;
@ -4147,7 +4148,7 @@ proto.insertHTML = function ( html, isPaste ) {
// including the full <head> of the page. Need to strip this out. If
// available use DOMPurify to parse and sanitise.
if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, isPaste );
frag = sanitizeToDOMFragment( html, isPaste, this );
} else {
if ( isPaste ) {
startFragmentIndex = html.indexOf( '<!--StartFragment-->' );

4
build/squire.js
View file

File diff suppressed because one or more lines are too long

13
source/Editor.js
View file

@ -149,13 +149,14 @@ function Squire ( root, config ) {
var proto = Squire.prototype;
var sanitizeToDOMFragment = function ( html/*, isPaste*/ ) {
var frag = DOMPurify.sanitize( html, {
var sanitizeToDOMFragment = function ( html, isPaste, self ) {
var doc = self._doc;
var frag = html ? DOMPurify.sanitize( html, {
WHOLE_DOCUMENT: false,
RETURN_DOM: true,
RETURN_DOM_FRAGMENT: true
});
return doc.importNode( frag, true );
}) : null;
return frag ? doc.importNode( frag, true ) : doc.createDocumentFragment();
};
proto.setConfig = function ( config ) {
@ -1582,7 +1583,7 @@ proto.setHTML = function ( html ) {
// Parse HTML into DOM tree
if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, false );
frag = sanitizeToDOMFragment( html, false, this );
} else {
div = this.createElement( 'DIV' );
div.innerHTML = html;
@ -1735,7 +1736,7 @@ proto.insertHTML = function ( html, isPaste ) {
// including the full <head> of the page. Need to strip this out. If
// available use DOMPurify to parse and sanitise.
if ( typeof sanitizeToDOMFragment === 'function' ) {
frag = sanitizeToDOMFragment( html, isPaste );
frag = sanitizeToDOMFragment( html, isPaste, this );
} else {
if ( isPaste ) {
startFragmentIndex = html.indexOf( '<!--StartFragment-->' );