WIP: Tags whitelisting (#506)

mpolidori · web-flow · commit 7966fa20c50f · 2021-10-19T18:58:47.000-04:00
diff --git a/ckanext/querytool/fanstatic/javascript/vitals.js b/ckanext/querytool/fanstatic/javascript/vitals.js
@@ -1118,3 +1118,160 @@ function hideAxisMinMax(selected,chart_number,rangeEnabled){
     $(`.axis_range_max_${chart_number}`).removeClass('hidden');
   }
 };
+
+
+
+/* HTML Sanitizer */
+
+var HtmlSanitizer = new (function () {
+
+	var tagWhitelist_ = {
+		'A': false, 'ABBR': true, 'B': true, 'BLOCKQUOTE': true, 'BODY': true, 'BR': true, 'CENTER': false, 'CODE': false, 'DIV': false, 'EM': true, 'FONT': false,
+		'H1': true, 'H2': true, 'H3': true, 'H4': true, 'H5': true, 'H6': true, 'HR': true, 'I': true, 'IMG': false, 'LABEL': true, 'LI': true, 'OL': true, 'P': true, 'PRE': false,
+		'SMALL': true, 'SOURCE': false, 'SPAN': true, 'STRONG': true, 'TABLE': false, 'TBODY': false, 'TR': false, 'TD': false, 'TH': false, 'THEAD': false, 'UL': true, 'U': true, 'VIDEO': false
+	};
+
+	var contentTagWhiteList_ = { 'FORM': true }; //tags that will be converted to DIVs
+
+	var attributeWhitelist_ = { 'align': true, 'color': true, 'controls': true, 'height': true, 'href': true, 'src': true, 'style': true, 'target': true, 'title': true, 'type': true, 'width': true };
+
+	var cssWhitelist_ = { 'color': true, 'background-color': true, 'font-size': true, 'text-align': true, 'text-decoration': true, 'font-weight': true };
+
+	var schemaWhiteList_ = [ 'http:', 'https:', 'data:', 'm-files:', 'file:', 'ftp:' ]; //which "protocols" are allowed in "href", "src" etc
+
+	var uriAttributes_ = { 'href': true, 'action': true };
+
+	this.SanitizeHtml = function(input) {
+		input = input.trim();
+		if (input == "") return ""; //to save performance and not create iframe
+
+		//firefox "bogus node" workaround
+		if (input == "<br>") return "";
+
+		var iframe = document.createElement('iframe');
+		if (iframe['sandbox'] === undefined) {
+			alert('Your browser does not support sandboxed iframes. Please upgrade to a modern browser.');
+			return '';
+		}
+		iframe['sandbox'] = 'allow-same-origin';
+		iframe.style.display = 'none';
+		document.body.appendChild(iframe); // necessary so the iframe contains a document
+		var iframedoc = iframe.contentDocument || iframe.contentWindow.document;
+		if (iframedoc.body == null) iframedoc.write("<body></body>"); // null in IE
+		iframedoc.body.innerHTML = input;
+
+		function makeSanitizedCopy(node) {
+			if (node.nodeType == Node.TEXT_NODE) {
+				var newNode = node.cloneNode(true);
+			} else if (node.nodeType == Node.ELEMENT_NODE && (tagWhitelist_[node.tagName] || contentTagWhiteList_[node.tagName])) {
+
+				//remove useless empty spans (lots of those when pasting from MS Outlook)
+				if ((node.tagName == "SPAN" || node.tagName == "B" || node.tagName == "I" || node.tagName == "U")
+					&& node.innerHTML.trim() == "") {
+					return document.createDocumentFragment();
+				}
+
+				if (contentTagWhiteList_[node.tagName])
+					newNode = iframedoc.createElement('DIV'); //convert to DIV
+				else
+					newNode = iframedoc.createElement(node.tagName);
+
+				for (var i = 0; i < node.attributes.length; i++) {
+					var attr = node.attributes[i];
+					if (attributeWhitelist_[attr.name]) {
+						if (attr.name == "style") {
+							for (s = 0; s < node.style.length; s++) {
+								var styleName = node.style[s];
+								if (cssWhitelist_[styleName])
+									newNode.style.setProperty(styleName, node.style.getPropertyValue(styleName));
+							}
+						}
+						else {
+							if (uriAttributes_[attr.name]) { //if this is a "uri" attribute, that can have "javascript:" or something
+								if (attr.value.indexOf(":") > -1 && !startsWithAny(attr.value, schemaWhiteList_))
+									continue;
+							}
+							newNode.setAttribute(attr.name, attr.value);
+						}
+					}
+				}
+				for (i = 0; i < node.childNodes.length; i++) {
+					var subCopy = makeSanitizedCopy(node.childNodes[i]);
+					newNode.appendChild(subCopy, false);
+				}
+			} else {
+				newNode = document.createDocumentFragment();
+			}
+			return newNode;
+		};
+
+		var resultElement = makeSanitizedCopy(iframedoc.body);
+		document.body.removeChild(iframe);
+		return resultElement.innerHTML
+			.replace(/<br[^>]*>(\S)/g, "<br>\n$1")
+			.replace(/div><div/g, "div>\n<div"); //replace is just for cleaner code
+	}
+
+	function startsWithAny(str, substrings) {
+		for (var i = 0; i < substrings.length; i++) {
+			if (str.indexOf(substrings[i]) == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	this.AllowedTags = tagWhitelist_;
+	this.AllowedAttributes = attributeWhitelist_;
+	this.AllowedCssStyles = cssWhitelist_;
+	this.AllowedSchemas = schemaWhiteList_;
+});
+
+
+/* Sanitize HTML */
+$("body").on('change', '.textbox_desc', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+
+$("body").on('change', '[id^=table_field_title_]', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+$("body").on('change', '[id^=chart_field_title_]', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+$("body").on('change', '[id^=chart_field_desc_]', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+$("body").on('change', '[id^=map_custom_title_field_]', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+$("body").on('change', '[id^=field-description]', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+$("body").on('change', '[id^=field-additional_description]', function(){
+  var content = $(this).val();
+  var html = HtmlSanitizer.SanitizeHtml(content);
+  $(this).val(html);
+});
+
+
+
+
