fix: #106 fixed maybe xss attack from custom web html panel

2 years ago · 6d16e09ae1
parent 0cfa7927c1
commit 6d16e09ae1
3 changed files with 20 additions and 2 deletions
--- a/client/web/plugins/com.msgbyte.webview/package.json
+++ b/client/web/plugins/com.msgbyte.webview/package.json
@ -4,6 +4,7 @@
  "version": "0.0.0",
  "private": true,
  "dependencies": {
-    "url-regex": "^5.0.0"
+    "url-regex": "^5.0.0",
+    "xss": "^1.0.14"
  }
 }
--- a/client/web/plugins/com.msgbyte.webview/src/group/GroupCustomWebPanelRender.tsx
+++ b/client/web/plugins/com.msgbyte.webview/src/group/GroupCustomWebPanelRender.tsx
@ -1,5 +1,6 @@
 import React, { useEffect, useRef } from 'react';
 import { Translate } from '../translate';
+import xss from 'xss';

 function getInjectedStyle() {
  try {
@ -26,7 +27,7 @@ const GroupCustomWebPanelRender: React.FC<{ panelInfo: any }> = (props) => {

    const doc = ref.current.contentWindow.document;
    doc.open();
-    doc.writeln(getInjectedStyle(), html);
+    doc.writeln(getInjectedStyle(), xss(html));
    doc.close();
  }, [html]);

--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -1266,6 +1266,9 @@ importers:
      url-regex:
        specifier: ^5.0.0
        version: 5.0.0
+      xss:
+        specifier: ^1.0.14
+        version: 1.0.14

  client/web/plugins/com.msgbyte.wenshushu:
    devDependencies:
@ -17221,6 +17224,10 @@ packages:
    engines: {node: '>=4'}
    hasBin: true

+  /cssfilter@0.0.10:
+    resolution: {integrity: sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==}
+    dev: false
+
  /cssnano-preset-advanced@5.3.10(postcss@8.4.21):
    resolution: {integrity: sha512-fnYJyCS9jgMU+cmHO1rPSPf9axbQyD7iUhLO5Df6O4G+fKIOMps+ZbU0PdGFejFBBZ3Pftf18fn1eG7MAPUSWQ==}
    engines: {node: ^10 || ^12 || >=14.0}
@ -35956,6 +35963,15 @@ packages:
    resolution: {integrity: sha512-xl/50/Cf32VsGq/1R8jJE5ajH1yMCQkpmoS10QbFZWl2Oor4H0Me64Pu2yxvsRWK3m6soJbmGfzSR7BYmDcWAA==}
    dev: true

+  /xss@1.0.14:
+    resolution: {integrity: sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==}
+    engines: {node: '>= 0.10.0'}
+    hasBin: true
+    dependencies:
+      commander: 2.20.3
+      cssfilter: 0.0.10
+    dev: false
+
  /xtend@4.0.2:
    resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==}
    engines: {node: '>=0.4'}