Geek Answers Handbook

Combine HTML HTML preview editor with server side HTML validation (e.g. without built-in JavaScript code)

There are many questions (for example, the White List preventing XSS with WMD management in C # and Markdown Markdown and server-side ) about how to perform server-side screening of Markdown, created by the WMD editor, to ensure that the generated HTML does not contain malicious script, for example:

<img onload="alert('haha');" 
   src="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" />

But I did not find a good way to connect a hole on the client side. Checking the client is not a substitute for checking the correct cleaning on the server, since anyone can claim the role of the client and POST you nasty Markdown. And if you clear the HTML on the server, the attacker cannot save the bad HTML, so that no one else can see it later, and his cookies are stolen or the sessions are captured by a bad script. Thus, there is a well-founded case that it may not be practical to apply the no-script rules in the WMD preview panel.

But imagine that an attacker found a way to get a malicious Markdown on the server (for example, a compromised feed from another site or content added before fixing the XSS error). Your server-side whitelist, used when translating markdowns into HTML, usually prevents a bad Markdown from being displayed to users. But if an attacker can force someone to edit the page (for example, by sending another entry that the malicious entry had a broken link and asking someone to fix it), everyone who edits the page receives their cookies. This is admittedly a corner case, but it is still worth protecting.

Also, this is probably a bad idea, allowing the client preview window to allow different HTML code than your server allows.

" " , . ?

[: , JavaScript, , , ].

+5
2

wmd.js pushPreviewHtml(). GitHub:

if (wmd.panels.preview) {
    wmd.panels.preview.innerHTML = text; 
}

. , Qaru , , IMG A ( !). . Meta Qaru post HTML- , ? .

: , , , . whitelisted . mailto: URL-, , , -, .

if (wmd.panels.preview) {

    // Original WMD code allowed JavaScript injection, like this:
    //    <img src="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" onload="alert('haha');"/>
    // Now, we first ensure elements (and attributes of IMG and A elements) are in a whitelist,
    // and if not in whitelist, replace with blanks in preview to prevent XSS attacks 
    // when editing malicious Markdown.
    var okTags = /^(<\/?(b|blockquote|code|del|dd|dl|dt|em|h1|h2|h3|i|kbd|li|ol|p|pre|s|sup|sub|strong|strike|ul)>|<(br|hr)\s?\/?>)$/i;
    var okLinks = /^(<a\shref="(\#\d+|(https?|ftp):\/\/[-A-Za-z0-9+&@#\/%?=~_|!:,.;\(\)]+)"(\stitle="[^"<>]+")?\s?>|<\/a>)$/i;
    var okImg = /^(<img\ssrc="https?:(\/\/[-A-Za-z0-9+&@#\/%?=~_|!:,.;\(\)]+)"(\swidth="\d{1,3}")?(\sheight="\d{1,3}")?(\salt="[^"<>]*")?(\stitle="[^"<>]*")?\s?\/?>)$/i;
    text = text.replace(/<[^<>]*>?/gi, function (tag) {
        return (tag.match(okTags) || tag.match(okLinks) || tag.match(okImg)) ? tag : ""
    })

    wmd.panels.preview.innerHTML = text;  // Original code 
}

, GitHub - , GitHub.

: , URL-, showdown.js, :

:

var _DoAutoLinks = function(text) {

    text = text.replace(/<((https?|ftp|dict):[^'">\s]+)>/gi,"<a href=\"$1\">$1</a>");

    // Email addresses: <address@domain.foo>

    /*
        text = text.replace(/
            <
            (?:mailto:)?
            (
                [-.\w]+
                \@
                [-a-z0-9]+(\.[-a-z0-9]+)*\.[a-z]+
            )
            >
        /gi, _DoAutoLinks_callback());
    */
    text = text.replace(/<(?:mailto:)?([-.\w]+\@[-a-z0-9]+(\.[-a-z0-9]+)*\.[a-z]+)>/gi,
        function(wholeMatch,m1) {
            return _EncodeEmailAddress( _UnescapeSpecialChars(m1) );
        }
    );

    return text;
}

:

var _DoAutoLinks = function(text) {
    // use simplified format for links, to enable whitelisting link attributes
    text = text.replace(/(^|\s)(https?|ftp)(:\/\/[-A-Z0-9+&@#\/%?=~_|\[\]\(\)!:,\.;]*[-A-Z0-9+&@#\/%=~_|\[\]])($|\W)/gi, "$1<$2$3>$4");
    text = text.replace(/<((https?|ftp):[^'">\s]+)>/gi, '<a href="$1">$1</a>');
    return text;
}
+6

, , script. URL javascript: Firebug - .

+2

More articles:


All Articles