ホーム エクスプローラ ヘルプ
サインイン
Lawsun
/
ysjj-system
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: d230cfbce0
ブランチ タグ
ysjj-system
/
node_modules
/
egg-security
/
lib
/
helper
/
shtml.js

shtml.js 2.6 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. 'use strict';
    2. 

  2. 

  3. const isSafeDomain = require('../utils').isSafeDomain;
    4. 

  4. const xss = require('xss');
    5. 

  5. const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
    6. 

  6. const utils = require('../utils');
    7. 

  7. 

  8. // default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
    9. 

  9. // add domain filter based on xss module
    10. 

  10. // custom options http://jsxss.com/zh/options.html
    11. 

  11. // eg: support a tag,filter attributes except for title : whiteList: {a: ['title']}
    12. 

  12. module.exports = function shtml(val) {
    13. 

  13.   if (typeof val !== 'string') return val;
    14. 

  14. 

  15.   const securityOptions = this.ctx.securityOptions || {};
    16. 

  16.   const shtmlConfig = utils.merge(this.app.config.helper.shtml, securityOptions.shtml);
    17. 

  17.   const domainWhiteList = this.app.config.security.domainWhiteList;
    18. 

  18.   const app = this.app;
    19. 

  19.   // filter href and src attribute if not in domain white list
    20. 

  20.   if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
    21. 

  21.     shtmlConfig[BUILD_IN_ON_TAG_ATTR] = function(tag, name, value, isWhiteAttr) {
    22. 

  22.       if (isWhiteAttr && (name === 'href' || name === 'src')) {
    23. 

  23.         if (!value) {
    24. 

  24.           return;
    25. 

  25.         }
    26. 

  26. 

  27.         value = String(value);
    28. 

  28. 

  29.         if (value[0] === '/' || value[0] === '#') {
    30. 

  30.           return;
    31. 

  31.         }
    32. 

  32. 

  33.         const hostname = utils.getFromUrl(value, 'hostname');
    34. 

  34.         if (!hostname) {
    35. 

  35.           return;
    36. 

  36.         }
    37. 

  37. 

  38.         // If we don't have our hostname in the app.security.domainWhiteList,
    39. 

  39.         // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
    40. 

  40.         if (!isSafeDomain(hostname, domainWhiteList)) {
    41. 

  41.           // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
    42. 

  42.           if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length !== 0) {
    43. 

  43.             app.deprecate('[egg-security] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
    44. 

  44.             shtmlConfig.domainWhiteList = shtmlConfig.domainWhiteList.map(domain => domain.toLowerCase());
    45. 

  45.             if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
    46. 

  46.               return '';
    47. 

  47.             }
    48. 

  48.           } else {
    49. 

  49.             return '';
    50. 

  50.           }
    51. 

  51.         }
    52. 

  52.       }
    53. 

  53.     };
    54. 

  54. 

  55.     // avoid overriding user configuration 'onTagAttr'
    56. 

  56.     if (shtmlConfig.onTagAttr) {
    57. 

  57.       const original = shtmlConfig.onTagAttr;
    58. 

  58.       shtmlConfig.onTagAttr = function() {
    59. 

  59.         const result = original.apply(this, arguments);
    60. 

  60.         if (result !== undefined) {
    61. 

  61.           return result;
    62. 

  62.         }
    63. 

  63.         return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, arguments);
    64. 

  64. 

  65.       };
    66. 

  66.     } else {
    67. 

  67.       shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
    68. 

  68.     }
    69. 

  69.   }
    70. 

  70. 

  71.   return xss(val, shtmlConfig);
    72. 

  72. };
    73.