1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 | var FilterCSS = require("cssfilter").FilterCSS;
|
8 | var getDefaultCSSWhiteList = require("cssfilter").getDefaultWhiteList;
|
9 | var _ = require("./util");
|
10 |
|
11 | function getDefaultWhiteList() {
|
12 | return {
|
13 | a: ["target", "href", "title"],
|
14 | abbr: ["title"],
|
15 | address: [],
|
16 | area: ["shape", "coords", "href", "alt"],
|
17 | article: [],
|
18 | aside: [],
|
19 | audio: [
|
20 | "autoplay",
|
21 | "controls",
|
22 | "crossorigin",
|
23 | "loop",
|
24 | "muted",
|
25 | "preload",
|
26 | "src",
|
27 | ],
|
28 | b: [],
|
29 | bdi: ["dir"],
|
30 | bdo: ["dir"],
|
31 | big: [],
|
32 | blockquote: ["cite"],
|
33 | br: [],
|
34 | caption: [],
|
35 | center: [],
|
36 | cite: [],
|
37 | code: [],
|
38 | col: ["align", "valign", "span", "width"],
|
39 | colgroup: ["align", "valign", "span", "width"],
|
40 | dd: [],
|
41 | del: ["datetime"],
|
42 | details: ["open"],
|
43 | div: [],
|
44 | dl: [],
|
45 | dt: [],
|
46 | em: [],
|
47 | figcaption: [],
|
48 | figure: [],
|
49 | font: ["color", "size", "face"],
|
50 | footer: [],
|
51 | h1: [],
|
52 | h2: [],
|
53 | h3: [],
|
54 | h4: [],
|
55 | h5: [],
|
56 | h6: [],
|
57 | header: [],
|
58 | hr: [],
|
59 | i: [],
|
60 | img: ["src", "alt", "title", "width", "height", "loading"],
|
61 | ins: ["datetime"],
|
62 | kbd: [],
|
63 | li: [],
|
64 | mark: [],
|
65 | nav: [],
|
66 | ol: [],
|
67 | p: [],
|
68 | pre: [],
|
69 | s: [],
|
70 | section: [],
|
71 | small: [],
|
72 | span: [],
|
73 | sub: [],
|
74 | summary: [],
|
75 | sup: [],
|
76 | strong: [],
|
77 | strike: [],
|
78 | table: ["width", "border", "align", "valign"],
|
79 | tbody: ["align", "valign"],
|
80 | td: ["width", "rowspan", "colspan", "align", "valign"],
|
81 | tfoot: ["align", "valign"],
|
82 | th: ["width", "rowspan", "colspan", "align", "valign"],
|
83 | thead: ["align", "valign"],
|
84 | tr: ["rowspan", "align", "valign"],
|
85 | tt: [],
|
86 | u: [],
|
87 | ul: [],
|
88 | video: [
|
89 | "autoplay",
|
90 | "controls",
|
91 | "crossorigin",
|
92 | "loop",
|
93 | "muted",
|
94 | "playsinline",
|
95 | "poster",
|
96 | "preload",
|
97 | "src",
|
98 | "height",
|
99 | "width",
|
100 | ],
|
101 | };
|
102 | }
|
103 |
|
104 | var defaultCSSFilter = new FilterCSS();
|
105 |
|
106 |
|
107 |
|
108 |
|
109 |
|
110 |
|
111 |
|
112 |
|
113 |
|
114 | function onTag(tag, html, options) {
|
115 |
|
116 | }
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 |
|
125 |
|
126 | function onIgnoreTag(tag, html, options) {
|
127 |
|
128 | }
|
129 |
|
130 |
|
131 |
|
132 |
|
133 |
|
134 |
|
135 |
|
136 |
|
137 |
|
138 | function onTagAttr(tag, name, value) {
|
139 |
|
140 | }
|
141 |
|
142 |
|
143 |
|
144 |
|
145 |
|
146 |
|
147 |
|
148 |
|
149 |
|
150 | function onIgnoreTagAttr(tag, name, value) {
|
151 |
|
152 | }
|
153 |
|
154 |
|
155 |
|
156 |
|
157 |
|
158 |
|
159 | function escapeHtml(html) {
|
160 | return html.replace(REGEXP_LT, "<").replace(REGEXP_GT, ">");
|
161 | }
|
162 |
|
163 |
|
164 |
|
165 |
|
166 |
|
167 |
|
168 |
|
169 |
|
170 |
|
171 |
|
172 | function safeAttrValue(tag, name, value, cssFilter) {
|
173 |
|
174 | value = friendlyAttrValue(value);
|
175 |
|
176 | if (name === "href" || name === "src") {
|
177 |
|
178 |
|
179 | value = _.trim(value);
|
180 | if (value === "#") return "#";
|
181 | if (
|
182 | !(
|
183 | value.substr(0, 7) === "http://" ||
|
184 | value.substr(0, 8) === "https://" ||
|
185 | value.substr(0, 7) === "mailto:" ||
|
186 | value.substr(0, 4) === "tel:" ||
|
187 | value.substr(0, 11) === "data:image/" ||
|
188 | value.substr(0, 6) === "ftp://" ||
|
189 | value.substr(0, 2) === "./" ||
|
190 | value.substr(0, 3) === "../" ||
|
191 | value[0] === "#" ||
|
192 | value[0] === "/"
|
193 | )
|
194 | ) {
|
195 | return "";
|
196 | }
|
197 | } else if (name === "background") {
|
198 |
|
199 |
|
200 | REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
|
201 | if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
|
202 | return "";
|
203 | }
|
204 | } else if (name === "style") {
|
205 |
|
206 | REGEXP_DEFAULT_ON_TAG_ATTR_7.lastIndex = 0;
|
207 | if (REGEXP_DEFAULT_ON_TAG_ATTR_7.test(value)) {
|
208 | return "";
|
209 | }
|
210 |
|
211 | REGEXP_DEFAULT_ON_TAG_ATTR_8.lastIndex = 0;
|
212 | if (REGEXP_DEFAULT_ON_TAG_ATTR_8.test(value)) {
|
213 | REGEXP_DEFAULT_ON_TAG_ATTR_4.lastIndex = 0;
|
214 | if (REGEXP_DEFAULT_ON_TAG_ATTR_4.test(value)) {
|
215 | return "";
|
216 | }
|
217 | }
|
218 | if (cssFilter !== false) {
|
219 | cssFilter = cssFilter || defaultCSSFilter;
|
220 | value = cssFilter.process(value);
|
221 | }
|
222 | }
|
223 |
|
224 |
|
225 | value = escapeAttrValue(value);
|
226 | return value;
|
227 | }
|
228 |
|
229 |
|
230 | var REGEXP_LT = /</g;
|
231 | var REGEXP_GT = />/g;
|
232 | var REGEXP_QUOTE = /"/g;
|
233 | var REGEXP_QUOTE_2 = /"/g;
|
234 | var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
|
235 | var REGEXP_ATTR_VALUE_COLON = /:?/gim;
|
236 | var REGEXP_ATTR_VALUE_NEWLINE = /&newline;?/gim;
|
237 |
|
238 | var REGEXP_DEFAULT_ON_TAG_ATTR_4 =
|
239 | /((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/gi;
|
240 |
|
241 |
|
242 | var REGEXP_DEFAULT_ON_TAG_ATTR_7 =
|
243 | /e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*\(.*/gi;
|
244 | var REGEXP_DEFAULT_ON_TAG_ATTR_8 = /u\s*r\s*l\s*\(.*/gi;
|
245 |
|
246 |
|
247 |
|
248 |
|
249 |
|
250 |
|
251 |
|
252 | function escapeQuote(str) {
|
253 | return str.replace(REGEXP_QUOTE, """);
|
254 | }
|
255 |
|
256 |
|
257 |
|
258 |
|
259 |
|
260 |
|
261 |
|
262 | function unescapeQuote(str) {
|
263 | return str.replace(REGEXP_QUOTE_2, '"');
|
264 | }
|
265 |
|
266 |
|
267 |
|
268 |
|
269 |
|
270 |
|
271 |
|
272 | function escapeHtmlEntities(str) {
|
273 | return str.replace(REGEXP_ATTR_VALUE_1, function replaceUnicode(str, code) {
|
274 | return code[0] === "x" || code[0] === "X"
|
275 | ? String.fromCharCode(parseInt(code.substr(1), 16))
|
276 | : String.fromCharCode(parseInt(code, 10));
|
277 | });
|
278 | }
|
279 |
|
280 |
|
281 |
|
282 |
|
283 |
|
284 |
|
285 |
|
286 | function escapeDangerHtml5Entities(str) {
|
287 | return str
|
288 | .replace(REGEXP_ATTR_VALUE_COLON, ":")
|
289 | .replace(REGEXP_ATTR_VALUE_NEWLINE, " ");
|
290 | }
|
291 |
|
292 |
|
293 |
|
294 |
|
295 |
|
296 |
|
297 |
|
298 | function clearNonPrintableCharacter(str) {
|
299 | var str2 = "";
|
300 | for (var i = 0, len = str.length; i < len; i++) {
|
301 | str2 += str.charCodeAt(i) < 32 ? " " : str.charAt(i);
|
302 | }
|
303 | return _.trim(str2);
|
304 | }
|
305 |
|
306 |
|
307 |
|
308 |
|
309 |
|
310 |
|
311 |
|
312 | function friendlyAttrValue(str) {
|
313 | str = unescapeQuote(str);
|
314 | str = escapeHtmlEntities(str);
|
315 | str = escapeDangerHtml5Entities(str);
|
316 | str = clearNonPrintableCharacter(str);
|
317 | return str;
|
318 | }
|
319 |
|
320 |
|
321 |
|
322 |
|
323 |
|
324 |
|
325 |
|
326 | function escapeAttrValue(str) {
|
327 | str = escapeQuote(str);
|
328 | str = escapeHtml(str);
|
329 | return str;
|
330 | }
|
331 |
|
332 |
|
333 |
|
334 |
|
335 | function onIgnoreTagStripAll() {
|
336 | return "";
|
337 | }
|
338 |
|
339 |
|
340 |
|
341 |
|
342 |
|
343 |
|
344 |
|
345 |
|
346 | function StripTagBody(tags, next) {
|
347 | if (typeof next !== "function") {
|
348 | next = function () {};
|
349 | }
|
350 |
|
351 | var isRemoveAllTag = !Array.isArray(tags);
|
352 | function isRemoveTag(tag) {
|
353 | if (isRemoveAllTag) return true;
|
354 | return _.indexOf(tags, tag) !== -1;
|
355 | }
|
356 |
|
357 | var removeList = [];
|
358 | var posStart = false;
|
359 |
|
360 | return {
|
361 | onIgnoreTag: function (tag, html, options) {
|
362 | if (isRemoveTag(tag)) {
|
363 | if (options.isClosing) {
|
364 | var ret = "[/removed]";
|
365 | var end = options.position + ret.length;
|
366 | removeList.push([
|
367 | posStart !== false ? posStart : options.position,
|
368 | end,
|
369 | ]);
|
370 | posStart = false;
|
371 | return ret;
|
372 | } else {
|
373 | if (!posStart) {
|
374 | posStart = options.position;
|
375 | }
|
376 | return "[removed]";
|
377 | }
|
378 | } else {
|
379 | return next(tag, html, options);
|
380 | }
|
381 | },
|
382 | remove: function (html) {
|
383 | var rethtml = "";
|
384 | var lastPos = 0;
|
385 | _.forEach(removeList, function (pos) {
|
386 | rethtml += html.slice(lastPos, pos[0]);
|
387 | lastPos = pos[1];
|
388 | });
|
389 | rethtml += html.slice(lastPos);
|
390 | return rethtml;
|
391 | },
|
392 | };
|
393 | }
|
394 |
|
395 |
|
396 |
|
397 |
|
398 |
|
399 |
|
400 |
|
401 | function stripCommentTag(html) {
|
402 | var retHtml = "";
|
403 | var lastPos = 0;
|
404 | while (lastPos < html.length) {
|
405 | var i = html.indexOf("<!--", lastPos);
|
406 | if (i === -1) {
|
407 | retHtml += html.slice(lastPos);
|
408 | break;
|
409 | }
|
410 | retHtml += html.slice(lastPos, i);
|
411 | var j = html.indexOf("-->", i);
|
412 | if (j === -1) {
|
413 | break;
|
414 | }
|
415 | lastPos = j + 3;
|
416 | }
|
417 | return retHtml;
|
418 | }
|
419 |
|
420 |
|
421 |
|
422 |
|
423 |
|
424 |
|
425 |
|
426 | function stripBlankChar(html) {
|
427 | var chars = html.split("");
|
428 | chars = chars.filter(function (char) {
|
429 | var c = char.charCodeAt(0);
|
430 | if (c === 127) return false;
|
431 | if (c <= 31) {
|
432 | if (c === 10 || c === 13) return true;
|
433 | return false;
|
434 | }
|
435 | return true;
|
436 | });
|
437 | return chars.join("");
|
438 | }
|
439 |
|
440 | exports.whiteList = getDefaultWhiteList();
|
441 | exports.getDefaultWhiteList = getDefaultWhiteList;
|
442 | exports.onTag = onTag;
|
443 | exports.onIgnoreTag = onIgnoreTag;
|
444 | exports.onTagAttr = onTagAttr;
|
445 | exports.onIgnoreTagAttr = onIgnoreTagAttr;
|
446 | exports.safeAttrValue = safeAttrValue;
|
447 | exports.escapeHtml = escapeHtml;
|
448 | exports.escapeQuote = escapeQuote;
|
449 | exports.unescapeQuote = unescapeQuote;
|
450 | exports.escapeHtmlEntities = escapeHtmlEntities;
|
451 | exports.escapeDangerHtml5Entities = escapeDangerHtml5Entities;
|
452 | exports.clearNonPrintableCharacter = clearNonPrintableCharacter;
|
453 | exports.friendlyAttrValue = friendlyAttrValue;
|
454 | exports.escapeAttrValue = escapeAttrValue;
|
455 | exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
|
456 | exports.StripTagBody = StripTagBody;
|
457 | exports.stripCommentTag = stripCommentTag;
|
458 | exports.stripBlankChar = stripBlankChar;
|
459 | exports.attributeWrapSign = '"';
|
460 | exports.cssFilter = defaultCSSFilter;
|
461 | exports.getDefaultCSSWhiteList = getDefaultCSSWhiteList;
|