replaced satinize with sanitize-html

2016-09-01 16:09:44 +03:00
parent 48e7bc1331
commit f87eaaa810
8 changed files with 54 additions and 70 deletions
--- a/.jshintrc
+++ b/.jshintrc
@@ -32,6 +32,7 @@
    "SwaggerUi": false,
    "jsyaml": false,
    "define": false,
+    "sanitizeHtml": false,

    // Global object
    // TODO: remove these
--- a/dist/index.html
+++ b/dist/index.html
@@ -12,6 +12,7 @@
  <link href='css/print.css' media='print' rel='stylesheet' type='text/css'/>

  <script src='lib/object-assign-pollyfill.js' type='text/javascript'></script>
+  <script src='lib/sanitize-html.min.js' type='text/javascript'></script>
  <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
  <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
  <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>
--- a/dist/swagger-ui.js
+++ b/dist/swagger-ui.js
--- a/dist/swagger-ui.min.js
+++ b/dist/swagger-ui.min.js
--- a/lib/sanitize-html.min.js
+++ b/lib/sanitize-html.min.js
--- a/src/main/html/index.html
+++ b/src/main/html/index.html
@@ -12,6 +12,7 @@
  <link href='css/print.css' media='print' rel='stylesheet' type='text/css'/>

  <script src='lib/object-assign-pollyfill.js' type='text/javascript'></script>
+  <script src='lib/sanitize-html.min.js' type='text/javascript'></script>
  <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
  <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
  <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>
--- a/src/main/javascript/helpers/handlebars.js
+++ b/src/main/javascript/helpers/handlebars.js
@@ -1,34 +1,22 @@
 'use strict';
 /*jslint eqeq: true*/

-var _sanitize = function(html) {
-    // Strip the script tags from the html and inline evenhandlers
-    html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
-    html = html.replace(/(on\w+="[^"]*")*(on\w+='[^']*')*(on\w+=\w*\(\w*\))*/gi, '');
+Handlebars.registerHelper('sanitize', function (text) {
+    var result;

-    return html;
-};
+    if (text === undefined) { return ''; }

-var sanitize =function (html) {
-    var _html;
+    result = sanitizeHtml(text, {
+        allowedTags: [ 'div', 'span', 'b', 'i', 'em', 'strong', 'a' ],
+        allowedAttributes: {
+            'div': [ 'class' ],
+            'span': [ 'class' ],
+            'a': [ 'href' ]
+        }
+    });

-    if ( _.isUndefined(html) || _.isNull(html)) {
-        return new Handlebars.SafeString('');
-    }
-
-    if (_.isNumber(html))  {
-        return new Handlebars.SafeString(html);
-    }
-
-    if (_.isObject(html)){
-        _html = JSON.stringify(html);
-        return new Handlebars.SafeString(JSON.parse(_sanitize(_html)));
-    }
-
-    return new Handlebars.SafeString(_sanitize(html));
-};
-
-Handlebars.registerHelper('sanitize', sanitize);
+    return new Handlebars.SafeString(result);
+});

 Handlebars.registerHelper('renderTextParam', function(param) {
    var result, type = 'text', idAtt = '';
@@ -55,7 +43,7 @@ Handlebars.registerHelper('renderTextParam', function(param) {
        idAtt = ' id=\'' + valueId + '\'';
    }

-    defaultValue = sanitize(defaultValue);
+    defaultValue = sanitizeHtml(defaultValue);

    if(isArray) {
        result = '<textarea class=\'body-textarea' + (param.required ? ' required' : '') + '\' name=\'' + name + '\'' + idAtt + dataVendorExtensions;
--- a/src/main/javascript/view/MainView.js
+++ b/src/main/javascript/view/MainView.js
@@ -96,7 +96,7 @@ SwaggerUi.Views.MainView = Backbone.View.extend({
        id = id + '_' + counter;
        counter += 1;
      }
-      resource.id = SwaggerUi.utils.sanitize(id);
+      resource.id = sanitizeHtml(id);
      resources[id] = resource;
      this.addResource(resource, this.model.auths);
    }