Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-17 07:50:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Re-enables custom schemes auto linking

Browse source
This commit is contained in:
Christian Hillebrand 2021-10-20 12:35:01 +02:00
parent 02f056851d
commit ea60d5a205
2 changed files with 41 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

42
packages/markdown/src/template-integration.js
View file

@ -9,7 +9,7 @@ var Markdown = require('markdown-it')({
import markdownItMermaid from "@liradb2000/markdown-it-mermaid"; import markdownItMermaid from "@liradb2000/markdown-it-mermaid";
/*
// Static URL Scheme Listing // Static URL Scheme Listing
var urlschemes = [ var urlschemes = [
"aodroplink", "aodroplink",
@ -22,6 +22,10 @@ var urlschemes = [
"mailspring" "mailspring"
]; ];
// Better would be a field in the admin backend to set this dynamically // Better would be a field in the admin backend to set this dynamically
// instead of putting all known or wanted url schemes here hard into code // instead of putting all known or wanted url schemes here hard into code
// but i was not able to access those settings // but i was not able to access those settings
@ -33,6 +37,42 @@ for(var i=0; i<urlschemes.length;i++){
Markdown.linkify.add(urlschemes[i]+":",'http:'); Markdown.linkify.add(urlschemes[i]+":",'http:');
} }
// build fitting regex
var regex = RegExp('^(' + urlschemes.join('|') + '):', 'gim');
// Add a hook to enforce URI scheme allow-list
DOMPurify.addHook('afterSanitizeAttributes', function (node) {
// build an anchor to map URLs to
var anchor = document.createElement('a');
// check all href attributes for validity
if (node.hasAttribute('href')) {
anchor.href = node.getAttribute('href');
if (anchor.protocol && !anchor.protocol.match(regex)) {
node.removeAttribute('href');
}
}
// check all action attributes for validity
if (node.hasAttribute('action')) {
anchor.href = node.getAttribute('action');
if (anchor.protocol && !anchor.protocol.match(regex)) {
node.removeAttribute('action');
}
}
// check all xlink:href attributes for validity
if (node.hasAttribute('xlink:href')) {
anchor.href = node.getAttribute('xlink:href');
if (anchor.protocol && !anchor.protocol.match(regex)) {
node.removeAttribute('xlink:href');
}
}
});
/*
// Additional safeAttrValue function to allow for other specific protocols // Additional safeAttrValue function to allow for other specific protocols
// See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
function mySafeAttrValue(tag, name, value, cssFilter) { function mySafeAttrValue(tag, name, value, cssFilter) {

3
releases/delete-phantomjs.sh
View file

@ -1,3 +0,0 @@
cd ~/repos/wekan/.build
find . -name "*phantomjs*" | xargs rm -rf
cd ~/repos/wekan