Skip to content

Commit

Permalink
Bug fixes and security fixes to prevent XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
@carolinaisslaying
carolinaisslaying committed Jun 27, 2020
1 parent 16c4dd2 commit eacc436
Show file tree
Hide file tree
Showing 5 changed files with 174 additions and 157 deletions.
157 changes: 157 additions & 0 deletions htmlReference.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
{
"minimal": {
"tags": [
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"blockquote",
"button",
"p",
"a",
"ul",
"ol",
"nl",
"li",
"b",
"i",
"img",
"strong",
"em",
"strike",
"code",
"hr",
"br",
"div",
"table",
"thead",
"caption",
"tbody",
"tr",
"th",
"td",
"pre"
],
"attributes": {
"a": ["href", "target", "rel"],
"img": ["src"],
"*": ["style", "title", "alt"]
}
},
"standard": {
"tags": [
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"blockquote",
"button",
"p",
"a",
"ul",
"ol",
"nl",
"li",
"b",
"i",
"img",
"strong",
"em",
"strike",
"code",
"hr",
"br",
"div",
"table",
"thead",
"caption",
"tbody",
"tr",
"th",
"td",
"pre",
"iframe",
"style",
"link"
],
"attributes": {
"*": [
"alt",
"cite",
"class",
"controls",
"autoplay",
"coords",
"datetime",
"headers",
"hidden",
"height",
"id",
"label",
"media",
"name",
"poster",
"preload",
"rel",
"reversed",
"rowspan",
"shape",
"src",
"start",
"style",
"target",
"title",
"translate",
"usemap",
"value",
"width"
]
}
},
"trusted": {
"tags": [
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"blockquote",
"button",
"p",
"a",
"ul",
"ol",
"nl",
"li",
"b",
"i",
"img",
"strong",
"em",
"strike",
"code",
"hr",
"br",
"div",
"table",
"thead",
"caption",
"tbody",
"tr",
"th",
"td",
"pre",
"iframe",
"style",
"script",
"noscript",
"link"
],
"attributes": false
}
}
4 changes: 2 additions & 2 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

86 changes: 7 additions & 79 deletions src/Routes/bots.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import * as Discord from "discord.js";
import sanitizeHtml from "sanitize-html";

import * as settings from "../../settings.json";
import * as htmlRef from "../../htmlReference.json";
import * as discord from "../Util/Services/discord";
import * as permission from "../Util/Function/permissions";
import * as functions from "../Util/Function/main";
Expand Down Expand Up @@ -399,6 +400,7 @@ router.post(
}
);

/* TODO: Add preview for long description on edit & submit page
router.post("/preview_post", async (req: Request, res: Response, next) => {
const dirty = entities.decode(md.render(req.body.longDesc));
Expand Down Expand Up @@ -445,7 +447,7 @@ router.post("/preview_post", async (req: Request, res: Response, next) => {
});
res.status(200).send(clean);
});
});*/

router.post(
"/:id/setvanity",
Expand Down Expand Up @@ -948,88 +950,14 @@ router.get("/:id", variables, async (req: Request, res: Response, next) => {
let clean;
if (bot.status.premium === true) {
clean = sanitizeHtml(dirty, {
allowedTags: [
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"blockquote",
"button",
"p",
"a",
"ul",
"ol",
"nl",
"li",
"b",
"i",
"img",
"strong",
"em",
"strike",
"code",
"hr",
"br",
"div",
"table",
"thead",
"caption",
"tbody",
"tr",
"th",
"td",
"pre",
"iframe",
"style",
"script",
"noscript",
"link"
],
allowedAttributes: false,
allowedTags: htmlRef.trusted.tags,
allowedAttributes: htmlRef.trusted.attributes,
allowVulnerableTags: true
});
} else {
clean = sanitizeHtml(dirty, {
allowedTags: [
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"blockquote",
"button",
"p",
"a",
"ul",
"ol",
"nl",
"li",
"b",
"i",
"img",
"strong",
"em",
"strike",
"code",
"hr",
"br",
"div",
"table",
"thead",
"caption",
"tbody",
"tr",
"th",
"td",
"pre",
"iframe",
"style",
"link"
],
allowedAttributes: false,
allowedTags: htmlRef.standard.tags,
allowedAttributes: htmlRef.standard.attributes,
allowVulnerableTags: true
});
}
Expand Down
42 changes: 4 additions & 38 deletions src/Routes/servers.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import * as Discord from "discord.js";
import sanitizeHtml from "sanitize-html";

import * as settings from "../../settings.json";
import * as htmlRef from "../../htmlReference.json";
import * as discord from "../Util/Services/discord";
import * as permission from "../Util/Function/permissions";
import * as functions from "../Util/Function/main";
Expand Down Expand Up @@ -321,44 +322,9 @@ router.get("/:id", variables, async (req: Request, res: Response, next) => {
const dirty = entities.decode(md.render(server.longDesc));
let clean: string;
clean = sanitizeHtml(dirty, {
allowedTags: [
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"blockquote",
"button",
"p",
"a",
"ul",
"ol",
"nl",
"li",
"b",
"i",
"img",
"strong",
"em",
"strike",
"code",
"hr",
"br",
"div",
"table",
"thead",
"caption",
"tbody",
"tr",
"th",
"td",
"pre"
],
allowedAttributes: {
a: ["href", "target", "rel"],
img: ["src"]
}
allowedTags: htmlRef.minimal.tags,
allowedAttributes: htmlRef.minimal.attributes,
allowVulnerableTags: true
});

res.render("templates/servers/view", {
Expand Down
Loading

0 comments on commit eacc436

Please sign in to comment.