Skip to content

Commit

Permalink
LPD-33910 Add sanitization for codeMirror editor
Browse files Browse the repository at this point in the history
  • Loading branch information
fortunatomaldonado committed Aug 26, 2024
1 parent 6dd0fb9 commit 799b5af
Showing 1 changed file with 23 additions and 13 deletions.
36 changes: 23 additions & 13 deletions plugins/codemirror/dialogs/codemirrordialog.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ CKEDITOR.dialog.add('codemirrordialog', function (editor) {
var scaley = 0.7;
var height = size.height * scaley;
var width = size.width * scalex;
var ALERT_REGEX = /alert\((.*?)\)/;
var INNER_HTML_REGEX = /innerHTML\s*=\s*.*?/;
var PHP_CODE_REGEX = /<\?[\s\S]*?\?>/g;
var ASP_CODE_REGEX = /<%[\s\S]*?%>/g;
var ASP_NET_CODE_REGEX = /(<asp:[^]+>[\s|\S]*?<\/asp:[^]+>)|(<asp:[^]+\/>)/gi;
var HTML_TAG_WITH_ON_ATTRIBUTE_REGEX = /<[^>]+?(\s+\bon\w+=(?:'[^']*'|"[^"]*"|[^'"\s>]+))*\s*\/?>/gi;
var ON_ATTRIBUTE_REGEX = /(\s+\bon\w+=(?:'[^']*'|"[^"]*"|[^'"\s>]+))/gi;

if (!editor.window) {
editor.window = editorWindow;
Expand Down Expand Up @@ -87,6 +94,9 @@ CKEDITOR.dialog.add('codemirrordialog', function (editor) {

_handleCodeMirrorChange: function () {
var newData = this.codeMirrorEditor.getValue();

var sanitizedData = this._sanitizeHTML(newData);

var preview = this.dialog
.getContentElement('main', 'preview')
.getElement();
Expand All @@ -95,7 +105,7 @@ CKEDITOR.dialog.add('codemirrordialog', function (editor) {
if (iframe && iframe.$) {
var iframeDocument = iframe.$.contentDocument;
var iframeBody = iframeDocument.body;
iframeBody.innerHTML = newData;
iframeBody.innerHTML = sanitizedData;
}
},

Expand Down Expand Up @@ -183,18 +193,18 @@ CKEDITOR.dialog.add('codemirrordialog', function (editor) {
};
},

_handleCodeMirrorChange: function () {
var newData = this.codeMirrorEditor.getValue();
var preview = this.dialog
.getContentElement('main', 'preview')
.getElement();

var iframe = preview.findOne('iframe');
if (iframe && iframe.$) {
var iframeDocument = iframe.$.contentDocument;
var iframeBody = iframeDocument.body;
iframeBody.innerHTML = newData;
}
_sanitizeHTML: function (html) {
var sanitizedHtml = html
.replace(HTML_TAG_WITH_ON_ATTRIBUTE_REGEX, function (match) {
return match.replace(ON_ATTRIBUTE_REGEX, '');
})
.replace(ALERT_REGEX, '')
.replace(INNER_HTML_REGEX, '')
.replace(PHP_CODE_REGEX, '')
.replace(ASP_CODE_REGEX, '')
.replace(ASP_NET_CODE_REGEX, '');

return sanitizedHtml;
},

contents: [
Expand Down

0 comments on commit 799b5af

Please sign in to comment.