mirror of
https://github.com/logseq/logseq.git
synced 2026-05-05 03:16:37 +00:00
5b0d5fb8b5
For tiny util heavily used fns like safe-re-find and uuid-string?, decouple graph-parser from so much of the app
34 lines
793 B
Clojure
34 lines
793 B
Clojure
(ns frontend.security
|
|
(:require [clojure.walk :as walk]
|
|
[frontend.util :as util]))
|
|
|
|
;; To prevent from cross-site scripting vulnerability, we should add security checks for both hiccup and raw html.
|
|
;; Hiccup: [:a {:href "javascript:alert('hei')"} "click me"]
|
|
|
|
(defn javascript-link?
|
|
[f]
|
|
(and
|
|
(vector? f)
|
|
(= :a (first f))
|
|
(:href (second f))
|
|
(:href (second f))
|
|
(util/safe-re-find #"(?i)javascript" (:href (second f)))))
|
|
|
|
(defn remove-javascript-links-in-href
|
|
[hiccup]
|
|
(walk/postwalk
|
|
(fn [f]
|
|
(if (javascript-link? f)
|
|
(update f 1 dissoc :href)
|
|
f))
|
|
hiccup))
|
|
|
|
;; HTML:
|
|
;; Example 1:
|
|
;; <script>
|
|
;; alert('gotcha');
|
|
;; </script>
|
|
|
|
;; Example 2:
|
|
;; <div style="padding: 20px; opacity: 0;height: 20px;" onmouseout="alert('Gotcha!')"></div>
|