ADD: DOMPurify for preventing xss attacks

mycolorway · Nov 9, 2018 · ef01a64 · ef01a64
1 parent 65d78cb
commit ef01a64
Show file tree

Hide file tree

Showing 20 changed files with 2,695 additions and 951 deletions.
diff --git a/.bowerrc b/.bowerrc
diff --git a/Gruntfile.coffee b/Gruntfile.coffee
@@ -88,18 +88,18 @@ module.exports = (grunt) ->
         objectToExport: 'Simditor'
         globalAlias: 'Simditor'
         deps:
-          'default': ['$', 'SimpleModule', 'simpleHotkeys', 'simpleUploader']
-          amd: ['jquery', 'simple-module', 'simple-hotkeys', 'simple-uploader']
-          cjs: ['jquery', 'simple-module', 'simple-hotkeys', 'simple-uploader']
+          'default': ['$', 'SimpleModule', 'simpleHotkeys', 'simpleUploader', 'DOMPurify']
+          amd: ['jquery', 'simple-module', 'simple-hotkeys', 'simple-uploader', 'dompurify']
+          cjs: ['jquery', 'simple-module', 'simple-hotkeys', 'simple-uploader', 'dompurify']
           global:
-            items: ['jQuery', 'SimpleModule', 'simple.hotkeys', 'simple.uploader']
+            items: ['jQuery', 'SimpleModule', 'simple.hotkeys', 'simple.uploader', 'window.DOMPurify']
             prefix: ''
             suffix: ''
 
     copy:
       vendor:
         files: [{
-          src: 'vendor/bower/jquery/dist/jquery.min.js',
+          src: 'node_modules/jquery/dist/jquery.min.js',
           dest: 'site/assets/scripts/jquery.min.js'
         }]
       styles:
@@ -109,14 +109,17 @@ module.exports = (grunt) ->
         }]
       scripts:
         files: [{
-          src: 'vendor/bower/simple-module/lib/module.js',
+          src: 'node_modules/simple-module/lib/module.js',
           dest: 'site/assets/scripts/module.js'
         }, {
-          src: 'vendor/bower/simple-uploader/lib/uploader.js',
+          src: 'node_modules/simple-uploader/lib/uploader.js',
           dest: 'site/assets/scripts/uploader.js'
         }, {
-          src: 'vendor/bower/simple-hotkeys/lib/hotkeys.js',
+          src: 'node_modules/simple-hotkeys/lib/hotkeys.js',
           dest: 'site/assets/scripts/hotkeys.js'
+        }, {
+          src: 'node_modules/dompurify/dist/purify.js',
+          dest: 'site/assets/scripts/dompurify.js'
         }, {
           src: 'lib/simditor.js',
           dest: 'site/assets/scripts/simditor.js'
@@ -129,17 +132,20 @@ module.exports = (grunt) ->
           src: 'lib/*',
           dest: 'package/scripts/'
         }, {
-          src: 'vendor/bower/jquery/dist/jquery.min.js',
+          src: 'node_modules/jquery/dist/jquery.min.js',
           dest: 'package/scripts/jquery.min.js'
         }, {
-          src: 'vendor/bower/simple-module/lib/module.js',
+          src: 'node_modules/simple-module/lib/module.js',
           dest: 'package/scripts/module.js'
         }, {
-          src: 'vendor/bower/simple-uploader/lib/uploader.js',
+          src: 'node_modules/simple-uploader/lib/uploader.js',
           dest: 'package/scripts/uploader.js'
         }, {
-          src: 'vendor/bower/simple-hotkeys/lib/hotkeys.js',
+          src: 'node_modules/simple-hotkeys/lib/hotkeys.js',
           dest: 'package/scripts/hotkeys.js'
+        }, {
+          src: 'node_modules/dompurify/dist/purify.js',
+          dest: 'package/scripts/dompurify.js'
         }, {
           expand: true,
           flatten: true
@@ -234,10 +240,11 @@ module.exports = (grunt) ->
             'spec/buttons/*.js'
           ]
           vendor: [
-            'vendor/bower/jquery/dist/jquery.min.js'
-            'vendor/bower/simple-module/lib/module.js'
-            'vendor/bower/simple-uploader/lib/uploader.js'
-            'vendor/bower/simple-hotkeys/lib/hotkeys.js'
+            'node_modules/jquery/dist/jquery.min.js'
+            'node_modules/simple-module/lib/module.js'
+            'node_modules/simple-uploader/lib/uploader.js'
+            'node_modules/simple-hotkeys/lib/hotkeys.js'
+            'node_modules/dompurify/dist/purify.js'
           ]
 
     curl:

diff --git a/README.md b/README.md
@@ -9,6 +9,5 @@ It is used by [Tower](http://tower.im) -- a popular project management web appli
 Supported Browsers: IE10+、Chrome、Firefox、Safari.
 * [Download Zip](https://github.com/mycolorway/simditor/releases)
 * Install with npm: $ npm install simditor</li>
-* Install with bower: $ bower install simditor</li>
 
 Demo and docs can be found [here](http://simditor.tower.im/).
diff --git a/bower.json b/bower.json
diff --git a/circle.yml b/circle.yml
diff --git a/lib/simditor.js b/lib/simditor.js
@@ -1,23 +1,23 @@
 /*!
 * Simditor v2.3.21
 * http://simditor.tower.im/
-* 2018-10-17
+* 2018-11-09
 */
 (function (root, factory) {
   if (typeof define === 'function' && define.amd) {
     // AMD. Register as an anonymous module unless amdModuleId is set
-    define('simditor', ["jquery","simple-module","simple-hotkeys","simple-uploader"], function ($, SimpleModule, simpleHotkeys, simpleUploader) {
-      return (root['Simditor'] = factory($, SimpleModule, simpleHotkeys, simpleUploader));
+    define('simditor', ["jquery","simple-module","simple-hotkeys","simple-uploader","dompurify"], function ($, SimpleModule, simpleHotkeys, simpleUploader, DOMPurify) {
+      return (root['Simditor'] = factory($, SimpleModule, simpleHotkeys, simpleUploader, DOMPurify));
     });
   } else if (typeof exports === 'object') {
     // Node. Does not work with strict CommonJS, but
     // only CommonJS-like environments that support module.exports,
     // like Node.
-    module.exports = factory(require("jquery"),require("simple-module"),require("simple-hotkeys"),require("simple-uploader"));
+    module.exports = factory(require("jquery"),require("simple-module"),require("simple-hotkeys"),require("simple-uploader"),require("dompurify"));
   } else {
-    root['Simditor'] = factory(jQuery,SimpleModule,simple.hotkeys,simple.uploader);
+    root['Simditor'] = factory(jQuery,SimpleModule,simple.hotkeys,simple.uploader,window.DOMPurify);
   }
-}(this, function ($, SimpleModule, simpleHotkeys, simpleUploader) {
+}(this, function ($, SimpleModule, simpleHotkeys, simpleUploader, DOMPurify) {
 
 var AlignmentButton, BlockquoteButton, BoldButton, Button, Clipboard, CodeButton, CodePopover, ColorButton, FontScaleButton, Formatter, HrButton, ImageButton, ImagePopover, IndentButton, Indentation, InputManager, ItalicButton, Keystroke, LinkButton, LinkPopover, ListButton, OrderListButton, OutdentButton, Popover, Selection, Simditor, StrikethroughButton, TableButton, TitleButton, Toolbar, UnderlineButton, UndoManager, UnorderListButton, Util,
   extend = function(child, parent) { for (var key in parent) { if (hasProp.call(parent, key)) child[key] = parent[key]; } function ctor() { this.constructor = child; } ctor.prototype = parent.prototype; child.prototype = new ctor(); child.__super__ = parent.prototype; return child; },
@@ -2342,7 +2342,7 @@ Clipboard = (function(superClass) {
       return function() {
         var pasteContent;
         _this.editor.hidePopover();
-        _this.editor.body.get(0).innerHTML = state.html;
+        _this.editor.body.get(0).innerHTML = DOMPurify ? DOMPurify.sanitize(state.html) : state.html;
         _this.editor.undoManager.caretPosition(state.caret);
         _this.editor.body.focus();
         _this.editor.selection.reset();
@@ -2649,7 +2649,7 @@ Simditor = (function(superClass) {
   Simditor.prototype.setValue = function(val) {
     this.hidePopover();
     this.textarea.val(val);
-    this.body.get(0).innerHTML = val;
+    this.body.get(0).innerHTML = DOMPurify ? DOMPurify.sanitize(val) : val;
     this.formatter.format();
     this.formatter.decorate();
     this.util.reflow(this.body);