diff options
Diffstat (limited to 'web-ui/app/js/lib')
| -rw-r--r-- | web-ui/app/js/lib/highlightRegex.js | 127 | ||||
| -rw-r--r-- | web-ui/app/js/lib/html-sanitizer.js | 1064 | ||||
| -rw-r--r-- | web-ui/app/js/lib/html4-defs.js | 640 | ||||
| -rw-r--r-- | web-ui/app/js/lib/html_whitelister.js | 70 |
4 files changed, 1901 insertions, 0 deletions
diff --git a/web-ui/app/js/lib/highlightRegex.js b/web-ui/app/js/lib/highlightRegex.js new file mode 100644 index 00000000..17caaa23 --- /dev/null +++ b/web-ui/app/js/lib/highlightRegex.js @@ -0,0 +1,127 @@ +/* + * jQuery Highlight Regex Plugin v0.1.2 + * + * Based on highlight v3 by Johann Burkard + * http://johannburkard.de/blog/programming/javascript/highlight-javascript-text-higlighting-jquery-plugin.html + * + * (c) 2009-13 Jacob Rothstein + * MIT license + */ + +;(function( $ ) { + + + + var normalize = function( node ) { + if ( ! ( node && node.childNodes )) return + + var children = $.makeArray( node.childNodes ) + , prevTextNode = null + + $.each( children, function( i, child ) { + if ( child.nodeType === 3 ) { + if ( child.nodeValue === "" ) { + + node.removeChild( child ) + + } else if ( prevTextNode !== null ) { + + prevTextNode.nodeValue += child.nodeValue; + node.removeChild( child ) + + } else { + + prevTextNode = child + + } + } else { + prevTextNode = null + + if ( child.childNodes ) { + normalize( child ) + } + } + }) + } + + + + + $.fn.highlightRegex = function( regex, options ) { + + if ( typeof regex === 'object' && !(regex.constructor.name == 'RegExp' || regex instanceof RegExp ) ) { + options = regex + regex = undefined + } + + if ( typeof options === 'undefined' ) options = {} + + options.className = options.className || 'highlight' + options.tagType = options.tagType || 'span' + options.attrs = options.attrs || {} + + if ( typeof regex === 'undefined' || regex.source === '' ) { + + $( this ).find( options.tagType + '.' + options.className ).each( function() { + + $( this ).replaceWith( $( this ).text() ) + + normalize( $( this ).parent().get( 0 )) + + }) + + } else { + + $( this ).each( function() { + + var elt = $( this ).get( 0 ) + + normalize( elt ) + + $.each( $.makeArray( elt.childNodes ), function( i, searchnode ) { + + var spannode, middlebit, middleclone, pos, match, parent + + normalize( searchnode ) + + if ( searchnode.nodeType == 3 ) { + + // don't re-highlight the same node over and over + if ( $(searchnode).parent(options.tagType + '.' + options.className).length ) { + return; + } + + while ( searchnode.data && + ( pos = searchnode.data.search( regex )) >= 0 ) { + + match = searchnode.data.slice( pos ).match( regex )[ 0 ] + + if ( match.length > 0 ) { + + spannode = document.createElement( options.tagType ) + spannode.className = options.className + $(spannode).attr(options.attrs) + + parent = searchnode.parentNode + middlebit = searchnode.splitText( pos ) + searchnode = middlebit.splitText( match.length ) + middleclone = middlebit.cloneNode( true ) + + spannode.appendChild( middleclone ) + parent.replaceChild( spannode, middlebit ) + + } else break + } + + } else { + + $( searchnode ).highlightRegex( regex, options ) + + } + }) + }) + } + + return $( this ) + } +})( jQuery ); diff --git a/web-ui/app/js/lib/html-sanitizer.js b/web-ui/app/js/lib/html-sanitizer.js new file mode 100644 index 00000000..80fb0041 --- /dev/null +++ b/web-ui/app/js/lib/html-sanitizer.js @@ -0,0 +1,1064 @@ +// Copyright (C) 2006 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/** + * @fileoverview + * An HTML sanitizer that can satisfy a variety of security policies. + * + * <p> + * The HTML sanitizer is built around a SAX parser and HTML element and + * attributes schemas. + * + * If the cssparser is loaded, inline styles are sanitized using the + * css property and value schemas. Else they are remove during + * sanitization. + * + * If it exists, uses parseCssDeclarations, sanitizeCssProperty, cssSchema + * + * @author mikesamuel@gmail.com + * @author jasvir@gmail.com + * \@requires html4, URI + * \@overrides window + * \@provides html, html_sanitize + */ + +// The Turkish i seems to be a non-issue, but abort in case it is. +if ('I'.toLowerCase() !== 'i') { throw 'I/i problem'; } + +/** + * \@namespace + */ +define(['lib/html4-defs'], function (html4) { +var html = (function(html4) { + + // For closure compiler + var parseCssDeclarations, sanitizeCssProperty, cssSchema; + if ('undefined' !== typeof window) { + parseCssDeclarations = window['parseCssDeclarations']; + sanitizeCssProperty = window['sanitizeCssProperty']; + cssSchema = window['cssSchema']; + } + + // The keys of this object must be 'quoted' or JSCompiler will mangle them! + // This is a partial list -- lookupEntity() uses the host browser's parser + // (when available) to implement full entity lookup. + // Note that entities are in general case-sensitive; the uppercase ones are + // explicitly defined by HTML5 (presumably as compatibility). + var ENTITIES = { + 'lt': '<', + 'LT': '<', + 'gt': '>', + 'GT': '>', + 'amp': '&', + 'AMP': '&', + 'quot': '"', + 'apos': '\'', + 'nbsp': '\240' + }; + + // Patterns for types of entity/character reference names. + var decimalEscapeRe = /^#(\d+)$/; + var hexEscapeRe = /^#x([0-9A-Fa-f]+)$/; + // contains every entity per http://www.w3.org/TR/2011/WD-html5-20110113/named-character-references.html + var safeEntityNameRe = /^[A-Za-z][A-za-z0-9]+$/; + // Used as a hook to invoke the browser's entity parsing. <textarea> is used + // because its content is parsed for entities but not tags. + // TODO(kpreid): This retrieval is a kludge and leads to silent loss of + // functionality if the document isn't available. + var entityLookupElement = + ('undefined' !== typeof window && window['document']) + ? window['document'].createElement('textarea') : null; + /** + * Decodes an HTML entity. + * + * {\@updoc + * $ lookupEntity('lt') + * # '<' + * $ lookupEntity('GT') + * # '>' + * $ lookupEntity('amp') + * # '&' + * $ lookupEntity('nbsp') + * # '\xA0' + * $ lookupEntity('apos') + * # "'" + * $ lookupEntity('quot') + * # '"' + * $ lookupEntity('#xa') + * # '\n' + * $ lookupEntity('#10') + * # '\n' + * $ lookupEntity('#x0a') + * # '\n' + * $ lookupEntity('#010') + * # '\n' + * $ lookupEntity('#x00A') + * # '\n' + * $ lookupEntity('Pi') // Known failure + * # '\u03A0' + * $ lookupEntity('pi') // Known failure + * # '\u03C0' + * } + * + * @param {string} name the content between the '&' and the ';'. + * @return {string} a single unicode code-point as a string. + */ + function lookupEntity(name) { + // TODO: entity lookup as specified by HTML5 actually depends on the + // presence of the ";". + if (ENTITIES.hasOwnProperty(name)) { return ENTITIES[name]; } + var m = name.match(decimalEscapeRe); + if (m) { + return String.fromCharCode(parseInt(m[1], 10)); + } else if (!!(m = name.match(hexEscapeRe))) { + return String.fromCharCode(parseInt(m[1], 16)); + } else if (entityLookupElement && safeEntityNameRe.test(name)) { + entityLookupElement.innerHTML = '&' + name + ';'; + var text = entityLookupElement.textContent; + ENTITIES[name] = text; + return text; + } else { + return '&' + name + ';'; + } + } + + function decodeOneEntity(_, name) { + return lookupEntity(name); + } + + var nulRe = /\0/g; + function stripNULs(s) { + return s.replace(nulRe, ''); + } + + var ENTITY_RE_1 = /&(#[0-9]+|#[xX][0-9A-Fa-f]+|\w+);/g; + var ENTITY_RE_2 = /^(#[0-9]+|#[xX][0-9A-Fa-f]+|\w+);/; + /** + * The plain text of a chunk of HTML CDATA which possibly containing. + * + * {\@updoc + * $ unescapeEntities('') + * # '' + * $ unescapeEntities('hello World!') + * # 'hello World!' + * $ unescapeEntities('1 < 2 && 4 > 3 ') + * # '1 < 2 && 4 > 3\n' + * $ unescapeEntities('<< <- unfinished entity>') + * # '<< <- unfinished entity>' + * $ unescapeEntities('/foo?bar=baz©=true') // & often unescaped in URLS + * # '/foo?bar=baz©=true' + * $ unescapeEntities('pi=ππ, Pi=Π\u03A0') // FIXME: known failure + * # 'pi=\u03C0\u03c0, Pi=\u03A0\u03A0' + * } + * + * @param {string} s a chunk of HTML CDATA. It must not start or end inside + * an HTML entity. + */ + function unescapeEntities(s) { + return s.replace(ENTITY_RE_1, decodeOneEntity); + } + + var ampRe = /&/g; + var looseAmpRe = /&([^a-z#]|#(?:[^0-9x]|x(?:[^0-9a-f]|$)|$)|$)/gi; + var ltRe = /[<]/g; + var gtRe = />/g; + var quotRe = /\"/g; + + /** + * Escapes HTML special characters in attribute values. + * + * {\@updoc + * $ escapeAttrib('') + * # '' + * $ escapeAttrib('"<<&==&>>"') // Do not just escape the first occurrence. + * # '"<<&==&>>"' + * $ escapeAttrib('Hello <World>!') + * # 'Hello <World>!' + * } + */ + function escapeAttrib(s) { + return ('' + s).replace(ampRe, '&').replace(ltRe, '<') + .replace(gtRe, '>').replace(quotRe, '"'); + } + + /** + * Escape entities in RCDATA that can be escaped without changing the meaning. + * {\@updoc + * $ normalizeRCData('1 < 2 && 3 > 4 && 5 < 7&8') + * # '1 < 2 && 3 > 4 && 5 < 7&8' + * } + */ + function normalizeRCData(rcdata) { + return rcdata + .replace(looseAmpRe, '&$1') + .replace(ltRe, '<') + .replace(gtRe, '>'); + } + + // TODO(felix8a): validate sanitizer regexs against the HTML5 grammar at + // http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html + // http://www.whatwg.org/specs/web-apps/current-work/multipage/parsing.html + // http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html + // http://www.whatwg.org/specs/web-apps/current-work/multipage/tree-construction.html + + // We initially split input so that potentially meaningful characters + // like '<' and '>' are separate tokens, using a fast dumb process that + // ignores quoting. Then we walk that token stream, and when we see a + // '<' that's the start of a tag, we use ATTR_RE to extract tag + // attributes from the next token. That token will never have a '>' + // character. However, it might have an unbalanced quote character, and + // when we see that, we combine additional tokens to balance the quote. + + var ATTR_RE = new RegExp( + '^\\s*' + + '([-.:\\w]+)' + // 1 = Attribute name + '(?:' + ( + '\\s*(=)\\s*' + // 2 = Is there a value? + '(' + ( // 3 = Attribute value + // TODO(felix8a): maybe use backref to match quotes + '(\")[^\"]*(\"|$)' + // 4, 5 = Double-quoted string + '|' + + '(\')[^\']*(\'|$)' + // 6, 7 = Single-quoted string + '|' + + // Positive lookahead to prevent interpretation of + // <foo a= b=c> as <foo a='b=c'> + // TODO(felix8a): might be able to drop this case + '(?=[a-z][-\\w]*\\s*=)' + + '|' + + // Unquoted value that isn't an attribute name + // (since we didn't match the positive lookahead above) + '[^\"\'\\s]*' ) + + ')' ) + + ')?', + 'i'); + + // false on IE<=8, true on most other browsers + var splitWillCapture = ('a,b'.split(/(,)/).length === 3); + + // bitmask for tags with special parsing, like <script> and <textarea> + var EFLAGS_TEXT = html4.eflags['CDATA'] | html4.eflags['RCDATA']; + + /** + * Given a SAX-like event handler, produce a function that feeds those + * events and a parameter to the event handler. + * + * The event handler has the form:{@code + * { + * // Name is an upper-case HTML tag name. Attribs is an array of + * // alternating upper-case attribute names, and attribute values. The + * // attribs array is reused by the parser. Param is the value passed to + * // the saxParser. + * startTag: function (name, attribs, param) { ... }, + * endTag: function (name, param) { ... }, + * pcdata: function (text, param) { ... }, + * rcdata: function (text, param) { ... }, + * cdata: function (text, param) { ... }, + * startDoc: function (param) { ... }, + * endDoc: function (param) { ... } + * }} + * + * @param {Object} handler a record containing event handlers. + * @return {function(string, Object)} A function that takes a chunk of HTML + * and a parameter. The parameter is passed on to the handler methods. + */ + function makeSaxParser(handler) { + // Accept quoted or unquoted keys (Closure compat) + var hcopy = { + cdata: handler.cdata || handler['cdata'], + comment: handler.comment || handler['comment'], + endDoc: handler.endDoc || handler['endDoc'], + endTag: handler.endTag || handler['endTag'], + pcdata: handler.pcdata || handler['pcdata'], + rcdata: handler.rcdata || handler['rcdata'], + startDoc: handler.startDoc || handler['startDoc'], + startTag: handler.startTag || handler['startTag'] + }; + return function(htmlText, param) { + return parse(htmlText, hcopy, param); + }; + } + + // Parsing strategy is to split input into parts that might be lexically + // meaningful (every ">" becomes a separate part), and then recombine + // parts if we discover they're in a different context. + + // TODO(felix8a): Significant performance regressions from -legacy, + // tested on + // Chrome 18.0 + // Firefox 11.0 + // IE 6, 7, 8, 9 + // Opera 11.61 + // Safari 5.1.3 + // Many of these are unusual patterns that are linearly slower and still + // pretty fast (eg 1ms to 5ms), so not necessarily worth fixing. + + // TODO(felix8a): "<script> && && && ... <\/script>" is slower on all + // browsers. The hotspot is htmlSplit. + + // TODO(felix8a): "<p title='>>>>...'><\/p>" is slower on all browsers. + // This is partly htmlSplit, but the hotspot is parseTagAndAttrs. + + // TODO(felix8a): "<a><\/a><a><\/a>..." is slower on IE9. + // "<a>1<\/a><a>1<\/a>..." is faster, "<a><\/a>2<a><\/a>2..." is faster. + + // TODO(felix8a): "<p<p<p..." is slower on IE[6-8] + + var continuationMarker = {}; + function parse(htmlText, handler, param) { + var m, p, tagName; + var parts = htmlSplit(htmlText); + var state = { + noMoreGT: false, + noMoreEndComments: false + }; + parseCPS(handler, parts, 0, state, param); + } + + function continuationMaker(h, parts, initial, state, param) { + return function () { + parseCPS(h, parts, initial, state, param); + }; + } + + function parseCPS(h, parts, initial, state, param) { + try { + if (h.startDoc && initial == 0) { h.startDoc(param); } + var m, p, tagName; + for (var pos = initial, end = parts.length; pos < end;) { + var current = parts[pos++]; + var next = parts[pos]; + switch (current) { + case '&': + if (ENTITY_RE_2.test(next)) { + if (h.pcdata) { + h.pcdata('&' + next, param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + pos++; + } else { + if (h.pcdata) { h.pcdata("&", param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } + break; + case '<\/': + if ((m = /^([-\w:]+)[^\'\"]*/.exec(next))) { + if (m[0].length === next.length && parts[pos + 1] === '>') { + // fast case, no attribute parsing needed + pos += 2; + tagName = m[1].toLowerCase(); + if (h.endTag) { + h.endTag(tagName, param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } else { + // slow case, need to parse attributes + // TODO(felix8a): do we really care about misparsing this? + pos = parseEndTag( + parts, pos, h, param, continuationMarker, state); + } + } else { + if (h.pcdata) { + h.pcdata('</', param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } + break; + case '<': + if (m = /^([-\w:]+)\s*\/?/.exec(next)) { + if (m[0].length === next.length && parts[pos + 1] === '>') { + // fast case, no attribute parsing needed + pos += 2; + tagName = m[1].toLowerCase(); + if (h.startTag) { + h.startTag(tagName, [], param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + // tags like <script> and <textarea> have special parsing + var eflags = html4.ELEMENTS[tagName]; + if (eflags & EFLAGS_TEXT) { + var tag = { name: tagName, next: pos, eflags: eflags }; + pos = parseText( + parts, tag, h, param, continuationMarker, state); + } + } else { + // slow case, need to parse attributes + pos = parseStartTag( + parts, pos, h, param, continuationMarker, state); + } + } else { + if (h.pcdata) { + h.pcdata('<', param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } + break; + case '<\!--': + // The pathological case is n copies of '<\!--' without '-->', and + // repeated failure to find '-->' is quadratic. We avoid that by + // remembering when search for '-->' fails. + if (!state.noMoreEndComments) { + // A comment <\!--x--> is split into three tokens: + // '<\!--', 'x--', '>' + // We want to find the next '>' token that has a preceding '--'. + // pos is at the 'x--'. + for (p = pos + 1; p < end; p++) { + if (parts[p] === '>' && /--$/.test(parts[p - 1])) { break; } + } + if (p < end) { + if (h.comment) { + var comment = parts.slice(pos, p).join(''); + h.comment( + comment.substr(0, comment.length - 2), param, + continuationMarker, + continuationMaker(h, parts, p + 1, state, param)); + } + pos = p + 1; + } else { + state.noMoreEndComments = true; + } + } + if (state.noMoreEndComments) { + if (h.pcdata) { + h.pcdata('<!--', param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } + break; + case '<\!': + if (!/^\w/.test(next)) { + if (h.pcdata) { + h.pcdata('<!', param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } else { + // similar to noMoreEndComment logic + if (!state.noMoreGT) { + for (p = pos + 1; p < end; p++) { + if (parts[p] === '>') { break; } + } + if (p < end) { + pos = p + 1; + } else { + state.noMoreGT = true; + } + } + if (state.noMoreGT) { + if (h.pcdata) { + h.pcdata('<!', param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } + } + break; + case '<?': + // similar to noMoreEndComment logic + if (!state.noMoreGT) { + for (p = pos + 1; p < end; p++) { + if (parts[p] === '>') { break; } + } + if (p < end) { + pos = p + 1; + } else { + state.noMoreGT = true; + } + } + if (state.noMoreGT) { + if (h.pcdata) { + h.pcdata('<?', param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + } + break; + case '>': + if (h.pcdata) { + h.pcdata(">", param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + break; + case '': + break; + default: + if (h.pcdata) { + h.pcdata(current, param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + break; + } + } + if (h.endDoc) { h.endDoc(param); } + } catch (e) { + if (e !== continuationMarker) { throw e; } + } + } + + // Split str into parts for the html parser. + function htmlSplit(str) { + // can't hoist this out of the function because of the re.exec loop. + var re = /(<\/|<\!--|<[!?]|[&<>])/g; + str += ''; + if (splitWillCapture) { + return str.split(re); + } else { + var parts = []; + var lastPos = 0; + var m; + while ((m = re.exec(str)) !== null) { + parts.push(str.substring(lastPos, m.index)); + parts.push(m[0]); + lastPos = m.index + m[0].length; + } + parts.push(str.substring(lastPos)); + return parts; + } + } + + function parseEndTag(parts, pos, h, param, continuationMarker, state) { + var tag = parseTagAndAttrs(parts, pos); + // drop unclosed tags + if (!tag) { return parts.length; } + if (h.endTag) { + h.endTag(tag.name, param, continuationMarker, + continuationMaker(h, parts, pos, state, param)); + } + return tag.next; + } + + function parseStartTag(parts, pos, h, param, continuationMarker, state) { + var tag = parseTagAndAttrs(parts, pos); + // drop unclosed tags + if (!tag) { return parts.length; } + if (h.startTag) { + h.startTag(tag.name, tag.attrs, param, continuationMarker, + continuationMaker(h, parts, tag.next, state, param)); + } + // tags like <script> and <textarea> have special parsing + if (tag.eflags & EFLAGS_TEXT) { + return parseText(parts, tag, h, param, continuationMarker, state); + } else { + return tag.next; + } + } + + var endTagRe = {}; + + // Tags like <script> and <textarea> are flagged as CDATA or RCDATA, + // which means everything is text until we see the correct closing tag. + function parseText(parts, tag, h, param, continuationMarker, state) { + var end = parts.length; + if (!endTagRe.hasOwnProperty(tag.name)) { + endTagRe[tag.name] = new RegExp('^' + tag.name + '(?:[\\s\\/]|$)', 'i'); + } + var re = endTagRe[tag.name]; + var first = tag.next; + var p = tag.next + 1; + for (; p < end; p++) { + if (parts[p - 1] === '<\/' && re.test(parts[p])) { break; } + } + if (p < end) { p -= 1; } + var buf = parts.slice(first, p).join(''); + if (tag.eflags & html4.eflags['CDATA']) { + if (h.cdata) { + h.cdata(buf, param, continuationMarker, + continuationMaker(h, parts, p, state, param)); + } + } else if (tag.eflags & html4.eflags['RCDATA']) { + if (h.rcdata) { + h.rcdata(normalizeRCData(buf), param, continuationMarker, + continuationMaker(h, parts, p, state, param)); + } + } else { + throw new Error('bug'); + } + return p; + } + + // at this point, parts[pos-1] is either "<" or "<\/". + function parseTagAndAttrs(parts, pos) { + var m = /^([-\w:]+)/.exec(parts[pos]); + var tag = {}; + tag.name = m[1].toLowerCase(); + tag.eflags = html4.ELEMENTS[tag.name]; + var buf = parts[pos].substr(m[0].length); + // Find the next '>'. We optimistically assume this '>' is not in a + // quoted context, and further down we fix things up if it turns out to + // be quoted. + var p = pos + 1; + var end = parts.length; + for (; p < end; p++) { + if (parts[p] === '>') { break; } + buf += parts[p]; + } + if (end <= p) { return void 0; } + var attrs = []; + while (buf !== '') { + m = ATTR_RE.exec(buf); + if (!m) { + // No attribute found: skip garbage + buf = buf.replace(/^[\s\S][^a-z\s]*/, ''); + + } else if ((m[4] && !m[5]) || (m[6] && !m[7])) { + // Unterminated quote: slurp to the next unquoted '>' + var quote = m[4] || m[6]; + var sawQuote = false; + var abuf = [buf, parts[p++]]; + for (; p < end; p++) { + if (sawQuote) { + if (parts[p] === '>') { break; } + } else if (0 <= parts[p].indexOf(quote)) { + sawQuote = true; + } + abuf.push(parts[p]); + } + // Slurp failed: lose the garbage + if (end <= p) { break; } + // Otherwise retry attribute parsing + buf = abuf.join(''); + continue; + + } else { + // We have an attribute + var aName = m[1].toLowerCase(); + var aValue = m[2] ? decodeValue(m[3]) : ''; + attrs.push(aName, aValue); + buf = buf.substr(m[0].length); + } + } + tag.attrs = attrs; + tag.next = p + 1; + return tag; + } + + function decodeValue(v) { + var q = v.charCodeAt(0); + if (q === 0x22 || q === 0x27) { // " or ' + v = v.substr(1, v.length - 2); + } + return unescapeEntities(stripNULs(v)); + } + + /** + * Returns a function that strips unsafe tags and attributes from html. + * @param {function(string, Array.<string>): ?Array.<string>} tagPolicy + * A function that takes (tagName, attribs[]), where tagName is a key in + * html4.ELEMENTS and attribs is an array of alternating attribute names + * and values. It should return a record (as follows), or null to delete + * the element. It's okay for tagPolicy to modify the attribs array, + * but the same array is reused, so it should not be held between calls. + * Record keys: + * attribs: (required) Sanitized attributes array. + * tagName: Replacement tag name. + * @return {function(string, Array)} A function that sanitizes a string of + * HTML and appends result strings to the second argument, an array. + */ + function makeHtmlSanitizer(tagPolicy) { + var stack; + var ignoring; + var emit = function (text, out) { + if (!ignoring) { out.push(text); } + }; + return makeSaxParser({ + 'startDoc': function(_) { + stack = []; + ignoring = false; + }, + 'startTag': function(tagNameOrig, attribs, out) { + if (ignoring) { return; } + if (!html4.ELEMENTS.hasOwnProperty(tagNameOrig)) { return; } + var eflagsOrig = html4.ELEMENTS[tagNameOrig]; + if (eflagsOrig & html4.eflags['FOLDABLE']) { + return; + } + + var decision = tagPolicy(tagNameOrig, attribs); + if (!decision) { + ignoring = !(eflagsOrig & html4.eflags['EMPTY']); + return; + } else if (typeof decision !== 'object') { + throw new Error('tagPolicy did not return object (old API?)'); + } + if ('attribs' in decision) { + attribs = decision['attribs']; + } else { + throw new Error('tagPolicy gave no attribs'); + } + var eflagsRep; + var tagNameRep; + if ('tagName' in decision) { + tagNameRep = decision['tagName']; + eflagsRep = html4.ELEMENTS[tagNameRep]; + } else { + tagNameRep = tagNameOrig; + eflagsRep = eflagsOrig; + } + // TODO(mikesamuel): relying on tagPolicy not to insert unsafe + // attribute names. + + // If this is an optional-end-tag element and either this element or its + // previous like sibling was rewritten, then insert a close tag to + // preserve structure. + if (eflagsOrig & html4.eflags['OPTIONAL_ENDTAG']) { + var onStack = stack[stack.length - 1]; + if (onStack && onStack.orig === tagNameOrig && + (onStack.rep !== tagNameRep || tagNameOrig !== tagNameRep)) { + out.push('<\/', onStack.rep, '>'); + } + } + + if (!(eflagsOrig & html4.eflags['EMPTY'])) { + stack.push({orig: tagNameOrig, rep: tagNameRep}); + } + + out.push('<', tagNameRep); + for (var i = 0, n = attribs.length; i < n; i += 2) { + var attribName = attribs[i], + value = attribs[i + 1]; + if (value !== null && value !== void 0) { + out.push(' ', attribName, '="', escapeAttrib(value), '"'); + } + } + out.push('>'); + + if ((eflagsOrig & html4.eflags['EMPTY']) + && !(eflagsRep & html4.eflags['EMPTY'])) { + // replacement is non-empty, synthesize end tag + out.push('<\/', tagNameRep, '>'); + } + }, + 'endTag': function(tagName, out) { + if (ignoring) { + ignoring = false; + return; + } + if (!html4.ELEMENTS.hasOwnProperty(tagName)) { return; } + var eflags = html4.ELEMENTS[tagName]; + if (!(eflags & (html4.eflags['EMPTY'] | html4.eflags['FOLDABLE']))) { + var index; + if (eflags & html4.eflags['OPTIONAL_ENDTAG']) { + for (index = stack.length; --index >= 0;) { + var stackElOrigTag = stack[index].orig; + if (stackElOrigTag === tagName) { break; } + if (!(html4.ELEMENTS[stackElOrigTag] & + html4.eflags['OPTIONAL_ENDTAG'])) { + // Don't pop non optional end tags looking for a match. + return; + } + } + } else { + for (index = stack.length; --index >= 0;) { + if (stack[index].orig === tagName) { break; } + } + } + if (index < 0) { return; } // Not opened. + for (var i = stack.length; --i > index;) { + var stackElRepTag = stack[i].rep; + if (!(html4.ELEMENTS[stackElRepTag] & + html4.eflags['OPTIONAL_ENDTAG'])) { + out.push('<\/', stackElRepTag, '>'); + } + } + if (index < stack.length) { + tagName = stack[index].rep; + } + stack.length = index; + out.push('<\/', tagName, '>'); + } + }, + 'pcdata': emit, + 'rcdata': emit, + 'cdata': emit, + 'endDoc': function(out) { + for (; stack.length; stack.length--) { + out.push('<\/', stack[stack.length - 1].rep, '>'); + } + } + }); + } + + var ALLOWED_URI_SCHEMES = /^(?:https?|mailto)$/i; + + function safeUri(uri, effect, ltype, hints, naiveUriRewriter) { + if (!naiveUriRewriter) { return null; } + try { + var parsed = URI.parse('' + uri); + if (parsed) { + if (!parsed.hasScheme() || + ALLOWED_URI_SCHEMES.test(parsed.getScheme())) { + var safe = naiveUriRewriter(parsed, effect, ltype, hints); + return safe ? safe.toString() : null; + } + } + } catch (e) { + return null; + } + return null; + } + + function log(logger, tagName, attribName, oldValue, newValue) { + if (!attribName) { + logger(tagName + " removed", { + change: "removed", + tagName: tagName + }); + } + if (oldValue !== newValue) { + var changed = "changed"; + if (oldValue && !newValue) { + changed = "removed"; + } else if (!oldValue && newValue) { + changed = "added"; + } + logger(tagName + "." + attribName + " " + changed, { + change: changed, + tagName: tagName, + attribName: attribName, + oldValue: oldValue, + newValue: newValue + }); + } + } + + function lookupAttribute(map, tagName, attribName) { + var attribKey; + attribKey = tagName + '::' + attribName; + if (map.hasOwnProperty(attribKey)) { + return map[attribKey]; + } + attribKey = '*::' + attribName; + if (map.hasOwnProperty(attribKey)) { + return map[attribKey]; + } + return void 0; + } + function getAttributeType(tagName, attribName) { + return lookupAttribute(html4.ATTRIBS, tagName, attribName); + } + function getLoaderType(tagName, attribName) { + return lookupAttribute(html4.LOADERTYPES, tagName, attribName); + } + function getUriEffect(tagName, attribName) { + return lookupAttribute(html4.URIEFFECTS, tagName, attribName); + } + + /** + * Sanitizes attributes on an HTML tag. + * @param {string} tagName An HTML tag name in lowercase. + * @param {Array.<?string>} attribs An array of alternating names and values. + * @param {?function(?string): ?string} opt_naiveUriRewriter A transform to + * apply to URI attributes; it can return a new string value, or null to + * delete the attribute. If unspecified, URI attributes are deleted. + * @param {function(?string): ?string} opt_nmTokenPolicy A transform to apply + * to attributes containing HTML names, element IDs, and space-separated + * lists of classes; it can return a new string value, or null to delete + * the attribute. If unspecified, these attributes are kept unchanged. + * @return {Array.<?string>} The sanitized attributes as a list of alternating + * names and values, where a null value means to omit the attribute. + */ + function sanitizeAttribs(tagName, attribs, + opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) { + // TODO(felix8a): it's obnoxious that domado duplicates much of this + // TODO(felix8a): maybe consistently enforce constraints like target= + for (var i = 0; i < attribs.length; i += 2) { + var attribName = attribs[i]; + var value = attribs[i + 1]; + var oldValue = value; + var atype = null, attribKey; + if ((attribKey = tagName + '::' + attribName, + html4.ATTRIBS.hasOwnProperty(attribKey)) || + (attribKey = '*::' + attribName, + html4.ATTRIBS.hasOwnProperty(attribKey))) { + atype = html4.ATTRIBS[attribKey]; + } + if (atype !== null) { + switch (atype) { + case html4.atype['NONE']: break; + case html4.atype['SCRIPT']: + value = null; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + case html4.atype['STYLE']: + if ('undefined' === typeof parseCssDeclarations) { + value = null; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + } + var sanitizedDeclarations = []; + parseCssDeclarations( + value, + { + 'declaration': function (property, tokens) { + var normProp = property.toLowerCase(); + sanitizeCssProperty( + normProp, tokens, + opt_naiveUriRewriter + ? function (url) { + return safeUri( + url, html4.ueffects.SAME_DOCUMENT, + html4.ltypes.SANDBOXED, + { + "TYPE": "CSS", + "CSS_PROP": normProp + }, opt_naiveUriRewriter); + } + : null); + if (tokens.length) { + sanitizedDeclarations.push( + normProp + ': ' + tokens.join(' ')); + } + } + }); + value = sanitizedDeclarations.length > 0 ? + sanitizedDeclarations.join(' ; ') : null; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + case html4.atype['ID']: + case html4.atype['IDREF']: + case html4.atype['IDREFS']: + case html4.atype['GLOBAL_NAME']: + case html4.atype['LOCAL_NAME']: + case html4.atype['CLASSES']: + value = opt_nmTokenPolicy ? opt_nmTokenPolicy(value) : value; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + case html4.atype['URI']: + value = safeUri(value, + getUriEffect(tagName, attribName), + getLoaderType(tagName, attribName), + { + "TYPE": "MARKUP", + "XML_ATTR": attribName, + "XML_TAG": tagName + }, opt_naiveUriRewriter); + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + case html4.atype['URI_FRAGMENT']: + if (value && '#' === value.charAt(0)) { + value = value.substring(1); // remove the leading '#' + value = opt_nmTokenPolicy ? opt_nmTokenPolicy(value) : value; + if (value !== null && value !== void 0) { + value = '#' + value; // restore the leading '#' + } + } else { + value = null; + } + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + default: + value = null; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + break; + } + } else { + value = null; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); + } + } + attribs[i + 1] = value; + } + return attribs; + } + + /** + * Creates a tag policy that omits all tags marked UNSAFE in html4-defs.js + * and applies the default attribute sanitizer with the supplied policy for + * URI attributes and NMTOKEN attributes. + * @param {?function(?string): ?string} opt_naiveUriRewriter A transform to + * apply to URI attributes. If not given, URI attributes are deleted. + * @param {function(?string): ?string} opt_nmTokenPolicy A transform to apply + * to attributes containing HTML names, element IDs, and space-separated + * lists of classes. If not given, such attributes are left unchanged. + * @return {function(string, Array.<?string>)} A tagPolicy suitable for + * passing to html.sanitize. + */ + function makeTagPolicy( + opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) { + return function(tagName, attribs) { + if (!(html4.ELEMENTS[tagName] & html4.eflags['UNSAFE'])) { + return { + 'attribs': sanitizeAttribs(tagName, attribs, + opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) + }; + } else { + if (opt_logger) { + log(opt_logger, tagName, undefined, undefined, undefined); + } + } + }; + } + + /** + * Sanitizes HTML tags and attributes according to a given policy. + * @param {string} inputHtml The HTML to sanitize. + * @param {function(string, Array.<?string>)} tagPolicy A function that + * decides which tags to accept and sanitizes their attributes (see + * makeHtmlSanitizer above for details). + * @return {string} The sanitized HTML. + */ + function sanitizeWithPolicy(inputHtml, tagPolicy) { + var outputArray = []; + makeHtmlSanitizer(tagPolicy)(inputHtml, outputArray); + return outputArray.join(''); + } + + /** + * Strips unsafe tags and attributes from HTML. + * @param {string} inputHtml The HTML to sanitize. + * @param {?function(?string): ?string} opt_naiveUriRewriter A transform to + * apply to URI attributes. If not given, URI attributes are deleted. + * @param {function(?string): ?string} opt_nmTokenPolicy A transform to apply + * to attributes containing HTML names, element IDs, and space-separated + * lists of classes. If not given, such attributes are left unchanged. + */ + function sanitize(inputHtml, + opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) { + var tagPolicy = makeTagPolicy( + opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger); + return sanitizeWithPolicy(inputHtml, tagPolicy); + } + + // Export both quoted and unquoted names for Closure linkage. + var html = {}; + html.escapeAttrib = html['escapeAttrib'] = escapeAttrib; + html.makeHtmlSanitizer = html['makeHtmlSanitizer'] = makeHtmlSanitizer; + html.makeSaxParser = html['makeSaxParser'] = makeSaxParser; + html.makeTagPolicy = html['makeTagPolicy'] = makeTagPolicy; + html.normalizeRCData = html['normalizeRCData'] = normalizeRCData; + html.sanitize = html['sanitize'] = sanitize; + html.sanitizeAttribs = html['sanitizeAttribs'] = sanitizeAttribs; + html.sanitizeWithPolicy = html['sanitizeWithPolicy'] = sanitizeWithPolicy; + html.unescapeEntities = html['unescapeEntities'] = unescapeEntities; + return html; +})(html4); + +var html_sanitize = html['sanitize']; + +return { + html: html +}; +}); diff --git a/web-ui/app/js/lib/html4-defs.js b/web-ui/app/js/lib/html4-defs.js new file mode 100644 index 00000000..1ec575da --- /dev/null +++ b/web-ui/app/js/lib/html4-defs.js @@ -0,0 +1,640 @@ +// Copyright Google Inc. +// Licensed under the Apache Licence Version 2.0 +// Autogenerated at Mon Jul 14 18:51:33 BRT 2014 +// @overrides window +// @provides html4 +define([], function() { +var html4 = {}; +html4.atype = { + 'NONE': 0, + 'URI': 1, + 'URI_FRAGMENT': 11, + 'SCRIPT': 2, + 'STYLE': 3, + 'HTML': 12, + 'ID': 4, + 'IDREF': 5, + 'IDREFS': 6, + 'GLOBAL_NAME': 7, + 'LOCAL_NAME': 8, + 'CLASSES': 9, + 'FRAME_TARGET': 10, + 'MEDIA_QUERY': 13 +}; +html4[ 'atype' ] = html4.atype; +html4.ATTRIBS = { + '*::class': 9, + '*::dir': 0, + '*::draggable': 0, + '*::hidden': 0, + '*::id': 4, + '*::inert': 0, + '*::itemprop': 0, + '*::itemref': 6, + '*::itemscope': 0, + '*::lang': 0, + '*::onblur': 2, + '*::onchange': 2, + '*::onclick': 2, + '*::ondblclick': 2, + '*::onerror': 2, + '*::onfocus': 2, + '*::onkeydown': 2, + '*::onkeypress': 2, + '*::onkeyup': 2, + '*::onload': 2, + '*::onmousedown': 2, + '*::onmousemove': 2, + '*::onmouseout': 2, + '*::onmouseover': 2, + '*::onmouseup': 2, + '*::onreset': 2, + '*::onscroll': 2, + '*::onselect': 2, + '*::onsubmit': 2, + '*::ontouchcancel': 2, + '*::ontouchend': 2, + '*::ontouchenter': 2, + '*::ontouchleave': 2, + '*::ontouchmove': 2, + '*::ontouchstart': 2, + '*::onunload': 2, + '*::spellcheck': 0, + '*::style': 3, + '*::tabindex': 0, + '*::title': 0, + '*::translate': 0, + 'a::accesskey': 0, + 'a::coords': 0, + 'a::href': 1, + 'a::hreflang': 0, + 'a::name': 7, + 'a::onblur': 2, + 'a::onfocus': 2, + 'a::shape': 0, + 'a::target': 10, + 'a::type': 0, + 'area::accesskey': 0, + 'area::alt': 0, + 'area::coords': 0, + 'area::href': 1, + 'area::nohref': 0, + 'area::onblur': 2, + 'area::onfocus': 2, + 'area::shape': 0, + 'area::target': 10, + 'audio::controls': 0, + 'audio::loop': 0, + 'audio::mediagroup': 5, + 'audio::muted': 0, + 'audio::preload': 0, + 'audio::src': 1, + 'bdo::dir': 0, + 'blockquote::cite': 1, + 'br::clear': 0, + 'button::accesskey': 0, + 'button::disabled': 0, + 'button::name': 8, + 'button::onblur': 2, + 'button::onfocus': 2, + 'button::type': 0, + 'button::value': 0, + 'canvas::height': 0, + 'canvas::width': 0, + 'caption::align': 0, + 'col::align': 0, + 'col::char': 0, + 'col::charoff': 0, + 'col::span': 0, + 'col::valign': 0, + 'col::width': 0, + 'colgroup::align': 0, + 'colgroup::char': 0, + 'colgroup::charoff': 0, + 'colgroup::span': 0, + 'colgroup::valign': 0, + 'colgroup::width': 0, + 'command::checked': 0, + 'command::command': 5, + 'command::disabled': 0, + 'command::icon': 1, + 'command::label': 0, + 'command::radiogroup': 0, + 'command::type': 0, + 'data::value': 0, + 'del::cite': 1, + 'del::datetime': 0, + 'details::open': 0, + 'dir::compact': 0, + 'div::align': 0, + 'dl::compact': 0, + 'fieldset::disabled': 0, + 'font::color': 0, + 'font::face': 0, + 'font::size': 0, + 'form::accept': 0, + 'form::action': 1, + 'form::autocomplete': 0, + 'form::enctype': 0, + 'form::method': 0, + 'form::name': 7, + 'form::novalidate': 0, + 'form::onreset': 2, + 'form::onsubmit': 2, + 'form::target': 10, + 'h1::align': 0, + 'h2::align': 0, + 'h3::align': 0, + 'h4::align': 0, + 'h5::align': 0, + 'h6::align': 0, + 'hr::align': 0, + 'hr::noshade': 0, + 'hr::size': 0, + 'hr::width': 0, + 'iframe::align': 0, + 'iframe::frameborder': 0, + 'iframe::height': 0, + 'iframe::marginheight': 0, + 'iframe::marginwidth': 0, + 'iframe::width': 0, + 'img::align': 0, + 'img::alt': 0, + 'img::border': 0, + 'img::height': 0, + 'img::hspace': 0, + 'img::ismap': 0, + 'img::name': 7, + 'img::src': 1, + 'img::usemap': 11, + 'img::vspace': 0, + 'img::width': 0, + 'input::accept': 0, + 'input::accesskey': 0, + 'input::align': 0, + 'input::alt': 0, + 'input::autocomplete': 0, + 'input::checked': 0, + 'input::disabled': 0, + 'input::inputmode': 0, + 'input::ismap': 0, + 'input::list': 5, + 'input::max': 0, + 'input::maxlength': 0, + 'input::min': 0, + 'input::multiple': 0, + 'input::name': 8, + 'input::onblur': 2, + 'input::onchange': 2, + 'input::onfocus': 2, + 'input::onselect': 2, + 'input::pattern': 0, + 'input::placeholder': 0, + 'input::readonly': 0, + 'input::required': 0, + 'input::size': 0, + 'input::src': 1, + 'input::step': 0, + 'input::type': 0, + 'input::usemap': 11, + 'input::value': 0, + 'ins::cite': 1, + 'ins::datetime': 0, + 'label::accesskey': 0, + 'label::for': 5, + 'label::onblur': 2, + 'label::onfocus': 2, + 'legend::accesskey': 0, + 'legend::align': 0, + 'li::type': 0, + 'li::value': 0, + 'map::name': 7, + 'menu::compact': 0, + 'menu::label': 0, + 'menu::type': 0, + 'meter::high': 0, + 'meter::low': 0, + 'meter::max': 0, + 'meter::min': 0, + 'meter::value': 0, + 'ol::compact': 0, + 'ol::reversed': 0, + 'ol::start': 0, + 'ol::type': 0, + 'optgroup::disabled': 0, + 'optgroup::label': 0, + 'option::disabled': 0, + 'option::label': 0, + 'option::selected': 0, + 'option::value': 0, + 'output::for': 6, + 'output::name': 8, + 'p::align': 0, + 'pre::width': 0, + 'progress::max': 0, + 'progress::min': 0, + 'progress::value': 0, + 'q::cite': 1, + 'select::autocomplete': 0, + 'select::disabled': 0, + 'select::multiple': 0, + 'select::name': 8, + 'select::onblur': 2, + 'select::onchange': 2, + 'select::onfocus': 2, + 'select::required': 0, + 'select::size': 0, + 'source::type': 0, + 'table::align': 0, + 'table::bgcolor': 0, + 'table::border': 0, + 'table::cellpadding': 0, + 'table::cellspacing': 0, + 'table::frame': 0, + 'table::rules': 0, + 'table::summary': 0, + 'table::width': 0, + 'tbody::align': 0, + 'tbody::char': 0, + 'tbody::charoff': 0, + 'tbody::valign': 0, + 'td::abbr': 0, + 'td::align': 0, + 'td::axis': 0, + 'td::bgcolor': 0, + 'td::char': 0, + 'td::charoff': 0, + 'td::colspan': 0, + 'td::headers': 6, + 'td::height': 0, + 'td::nowrap': 0, + 'td::rowspan': 0, + 'td::scope': 0, + 'td::valign': 0, + 'td::width': 0, + 'textarea::accesskey': 0, + 'textarea::autocomplete': 0, + 'textarea::cols': 0, + 'textarea::disabled': 0, + 'textarea::inputmode': 0, + 'textarea::name': 8, + 'textarea::onblur': 2, + 'textarea::onchange': 2, + 'textarea::onfocus': 2, + 'textarea::onselect': 2, + 'textarea::placeholder': 0, + 'textarea::readonly': 0, + 'textarea::required': 0, + 'textarea::rows': 0, + 'textarea::wrap': 0, + 'tfoot::align': 0, + 'tfoot::char': 0, + 'tfoot::charoff': 0, + 'tfoot::valign': 0, + 'th::abbr': 0, + 'th::align': 0, + 'th::axis': 0, + 'th::bgcolor': 0, + 'th::char': 0, + 'th::charoff': 0, + 'th::colspan': 0, + 'th::headers': 6, + 'th::height': 0, + 'th::nowrap': 0, + 'th::rowspan': 0, + 'th::scope': 0, + 'th::valign': 0, + 'th::width': 0, + 'thead::align': 0, + 'thead::char': 0, + 'thead::charoff': 0, + 'thead::valign': 0, + 'tr::align': 0, + 'tr::bgcolor': 0, + 'tr::char': 0, + 'tr::charoff': 0, + 'tr::valign': 0, + 'track::default': 0, + 'track::kind': 0, + 'track::label': 0, + 'track::srclang': 0, + 'ul::compact': 0, + 'ul::type': 0, + 'video::controls': 0, + 'video::height': 0, + 'video::loop': 0, + 'video::mediagroup': 5, + 'video::muted': 0, + 'video::poster': 1, + 'video::preload': 0, + 'video::src': 1, + 'video::width': 0 +}; +html4[ 'ATTRIBS' ] = html4.ATTRIBS; +html4.eflags = { + 'OPTIONAL_ENDTAG': 1, + 'EMPTY': 2, + 'CDATA': 4, + 'RCDATA': 8, + 'UNSAFE': 16, + 'FOLDABLE': 32, + 'SCRIPT': 64, + 'STYLE': 128, + 'VIRTUALIZED': 256 +}; +html4[ 'eflags' ] = html4.eflags; +html4.ELEMENTS = { + 'a': 0, + 'abbr': 0, + 'acronym': 0, + 'address': 0, + 'applet': 272, + 'area': 2, + 'article': 0, + 'aside': 0, + 'audio': 0, + 'b': 0, + 'base': 274, + 'basefont': 274, + 'bdi': 0, + 'bdo': 0, + 'big': 0, + 'blockquote': 0, + 'body': 305, + 'br': 2, + 'button': 0, + 'canvas': 0, + 'caption': 0, + 'center': 0, + 'cite': 0, + 'code': 0, + 'col': 2, + 'colgroup': 1, + 'command': 2, + 'data': 0, + 'datalist': 0, + 'dd': 1, + 'del': 0, + 'details': 0, + 'dfn': 0, + 'dialog': 272, + 'dir': 0, + 'div': 0, + 'dl': 0, + 'dt': 1, + 'em': 0, + 'fieldset': 0, + 'figcaption': 0, + 'figure': 0, + 'font': 0, + 'footer': 0, + 'form': 0, + 'frame': 274, + 'frameset': 272, + 'h1': 0, + 'h2': 0, + 'h3': 0, + 'h4': 0, + 'h5': 0, + 'h6': 0, + 'head': 305, + 'header': 0, + 'hgroup': 0, + 'hr': 2, + 'html': 305, + 'i': 0, + 'iframe': 4, + 'img': 2, + 'input': 2, + 'ins': 0, + 'isindex': 274, + 'kbd': 0, + 'keygen': 274, + 'label': 0, + 'legend': 0, + 'li': 1, + 'link': 274, + 'map': 0, + 'mark': 0, + 'menu': 0, + 'meta': 274, + 'meter': 0, + 'nav': 0, + 'nobr': 0, + 'noembed': 276, + 'noframes': 276, + 'noscript': 276, + 'object': 272, + 'ol': 0, + 'optgroup': 0, + 'option': 1, + 'output': 0, + 'p': 1, + 'param': 274, + 'pre': 0, + 'progress': 0, + 'q': 0, + 's': 0, + 'samp': 0, + 'script': 84, + 'section': 0, + 'select': 0, + 'small': 0, + 'source': 2, + 'span': 0, + 'strike': 0, + 'strong': 0, + 'style': 148, + 'sub': 0, + 'summary': 0, + 'sup': 0, + 'table': 0, + 'tbody': 1, + 'td': 1, + 'textarea': 8, + 'tfoot': 1, + 'th': 1, + 'thead': 1, + 'time': 0, + 'title': 280, + 'tr': 1, + 'track': 2, + 'tt': 0, + 'u': 0, + 'ul': 0, + 'var': 0, + 'video': 0, + 'wbr': 2 +}; +html4[ 'ELEMENTS' ] = html4.ELEMENTS; +html4.ELEMENT_DOM_INTERFACES = { + 'a': 'HTMLAnchorElement', + 'abbr': 'HTMLElement', + 'acronym': 'HTMLElement', + 'address': 'HTMLElement', + 'applet': 'HTMLAppletElement', + 'area': 'HTMLAreaElement', + 'article': 'HTMLElement', + 'aside': 'HTMLElement', + 'audio': 'HTMLAudioElement', + 'b': 'HTMLElement', + 'base': 'HTMLBaseElement', + 'basefont': 'HTMLBaseFontElement', + 'bdi': 'HTMLElement', + 'bdo': 'HTMLElement', + 'big': 'HTMLElement', + 'blockquote': 'HTMLQuoteElement', + 'body': 'HTMLBodyElement', + 'br': 'HTMLBRElement', + 'button': 'HTMLButtonElement', + 'canvas': 'HTMLCanvasElement', + 'caption': 'HTMLTableCaptionElement', + 'center': 'HTMLElement', + 'cite': 'HTMLElement', + 'code': 'HTMLElement', + 'col': 'HTMLTableColElement', + 'colgroup': 'HTMLTableColElement', + 'command': 'HTMLCommandElement', + 'data': 'HTMLElement', + 'datalist': 'HTMLDataListElement', + 'dd': 'HTMLElement', + 'del': 'HTMLModElement', + 'details': 'HTMLDetailsElement', + 'dfn': 'HTMLElement', + 'dialog': 'HTMLDialogElement', + 'dir': 'HTMLDirectoryElement', + 'div': 'HTMLDivElement', + 'dl': 'HTMLDListElement', + 'dt': 'HTMLElement', + 'em': 'HTMLElement', + 'fieldset': 'HTMLFieldSetElement', + 'figcaption': 'HTMLElement', + 'figure': 'HTMLElement', + 'font': 'HTMLFontElement', + 'footer': 'HTMLElement', + 'form': 'HTMLFormElement', + 'frame': 'HTMLFrameElement', + 'frameset': 'HTMLFrameSetElement', + 'h1': 'HTMLHeadingElement', + 'h2': 'HTMLHeadingElement', + 'h3': 'HTMLHeadingElement', + 'h4': 'HTMLHeadingElement', + 'h5': 'HTMLHeadingElement', + 'h6': 'HTMLHeadingElement', + 'head': 'HTMLHeadElement', + 'header': 'HTMLElement', + 'hgroup': 'HTMLElement', + 'hr': 'HTMLHRElement', + 'html': 'HTMLHtmlElement', + 'i': 'HTMLElement', + 'iframe': 'HTMLIFrameElement', + 'img': 'HTMLImageElement', + 'input': 'HTMLInputElement', + 'ins': 'HTMLModElement', + 'isindex': 'HTMLUnknownElement', + 'kbd': 'HTMLElement', + 'keygen': 'HTMLKeygenElement', + 'label': 'HTMLLabelElement', + 'legend': 'HTMLLegendElement', + 'li': 'HTMLLIElement', + 'link': 'HTMLLinkElement', + 'map': 'HTMLMapElement', + 'mark': 'HTMLElement', + 'menu': 'HTMLMenuElement', + 'meta': 'HTMLMetaElement', + 'meter': 'HTMLMeterElement', + 'nav': 'HTMLElement', + 'nobr': 'HTMLElement', + 'noembed': 'HTMLElement', + 'noframes': 'HTMLElement', + 'noscript': 'HTMLElement', + 'object': 'HTMLObjectElement', + 'ol': 'HTMLOListElement', + 'optgroup': 'HTMLOptGroupElement', + 'option': 'HTMLOptionElement', + 'output': 'HTMLOutputElement', + 'p': 'HTMLParagraphElement', + 'param': 'HTMLParamElement', + 'pre': 'HTMLPreElement', + 'progress': 'HTMLProgressElement', + 'q': 'HTMLQuoteElement', + 's': 'HTMLElement', + 'samp': 'HTMLElement', + 'script': 'HTMLScriptElement', + 'section': 'HTMLElement', + 'select': 'HTMLSelectElement', + 'small': 'HTMLElement', + 'source': 'HTMLSourceElement', + 'span': 'HTMLSpanElement', + 'strike': 'HTMLElement', + 'strong': 'HTMLElement', + 'style': 'HTMLStyleElement', + 'sub': 'HTMLElement', + 'summary': 'HTMLElement', + 'sup': 'HTMLElement', + 'table': 'HTMLTableElement', + 'tbody': 'HTMLTableSectionElement', + 'td': 'HTMLTableDataCellElement', + 'textarea': 'HTMLTextAreaElement', + 'tfoot': 'HTMLTableSectionElement', + 'th': 'HTMLTableHeaderCellElement', + 'thead': 'HTMLTableSectionElement', + 'time': 'HTMLTimeElement', + 'title': 'HTMLTitleElement', + 'tr': 'HTMLTableRowElement', + 'track': 'HTMLTrackElement', + 'tt': 'HTMLElement', + 'u': 'HTMLElement', + 'ul': 'HTMLUListElement', + 'var': 'HTMLElement', + 'video': 'HTMLVideoElement', + 'wbr': 'HTMLElement' +}; +html4[ 'ELEMENT_DOM_INTERFACES' ] = html4.ELEMENT_DOM_INTERFACES; +html4.ueffects = { + 'NOT_LOADED': 0, + 'SAME_DOCUMENT': 1, + 'NEW_DOCUMENT': 2 +}; +html4[ 'ueffects' ] = html4.ueffects; +html4.URIEFFECTS = { + 'a::href': 2, + 'area::href': 2, + 'audio::src': 1, + 'blockquote::cite': 0, + 'command::icon': 1, + 'del::cite': 0, + 'form::action': 2, + 'img::src': 1, + 'input::src': 1, + 'ins::cite': 0, + 'q::cite': 0, + 'video::poster': 1, + 'video::src': 1 +}; +html4[ 'URIEFFECTS' ] = html4.URIEFFECTS; +html4.ltypes = { + 'UNSANDBOXED': 2, + 'SANDBOXED': 1, + 'DATA': 0 +}; +html4[ 'ltypes' ] = html4.ltypes; +html4.LOADERTYPES = { + 'a::href': 2, + 'area::href': 2, + 'audio::src': 2, + 'blockquote::cite': 2, + 'command::icon': 1, + 'del::cite': 2, + 'form::action': 2, + 'img::src': 1, + 'input::src': 1, + 'ins::cite': 2, + 'q::cite': 2, + 'video::poster': 1, + 'video::src': 2 +}; +html4[ 'LOADERTYPES' ] = html4.LOADERTYPES; + +return html4 +}); diff --git a/web-ui/app/js/lib/html_whitelister.js b/web-ui/app/js/lib/html_whitelister.js new file mode 100644 index 00000000..6d414077 --- /dev/null +++ b/web-ui/app/js/lib/html_whitelister.js @@ -0,0 +1,70 @@ +/*global _ */ + +'use strict'; + +define(['lib/html-sanitizer'], function (htmlSanitizer) { + var tagAndAttributeWhitelist = { + 'p': ['style'], + 'div': ['style'], + 'a': ['href', 'style'], + 'span': ['style'], + 'font': ['face', 'size', 'style'], + 'img': ['title'], + 'em': [], + 'b': [], + 'strong': ['style'], + 'table': ['style'], + 'tr': ['style'], + 'td': ['style'], + 'th': ['style'], + 'tbody': ['style'], + 'thead': ['style'], + 'dt': ['style'], + 'dd': ['style'], + 'dl': ['style'], + 'h1': ['style'], + 'h2': ['style'], + 'h3': ['style'], + 'h4': ['style'], + 'h5': ['style'], + 'h6': ['style'], + 'br': [], + 'blockquote': ['style'], + 'label': ['style'], + 'form': ['style'], + 'ol': ['style'], + 'ul': ['style'], + 'li': ['style'], + 'input': ['style', 'type', 'name', 'value'] + }; + + function filterAllowedAttributes (tagName, attributes) { + var i, attributesAndValues = []; + + for (i = 0; i < attributes.length; i++) { + if (tagAndAttributeWhitelist[tagName] && + _.contains(tagAndAttributeWhitelist[tagName], attributes[i])) { + attributesAndValues.push(attributes[i]); + attributesAndValues.push(attributes[i+1]); + } + }; + + return attributesAndValues; + }; + + function tagPolicy (tagName, attributes) { + if (!tagAndAttributeWhitelist[tagName]) { + return null; + } + + return { + tagName: tagName, + attribs: filterAllowedAttributes(tagName, attributes) + }; + } + + return { + tagPolicy: tagPolicy, + sanitize: htmlSanitizer.html.sanitizeWithPolicy + }; +}); |