Skip to content

Commit

Permalink
Avoid executing script when attribute is set without quotes (T571307) (
Browse files Browse the repository at this point in the history 
…#1831)
  • Loading branch information
@roman-simionov
roman-simionov authored Nov 3, 2017
1 parent 8cfc317 commit f62f5a7
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
15 changes: 8 additions & 7 deletions js/viz/core/renderers/renderer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -704,14 +704,15 @@ function adjustLineHeights(items) {
}

function removeExtraAttrs(html) {
var findTagAttrs = /(?:<[a-z0-9])+(?:[\s\S]*?>)/gi,
findStyleAttrWithValue = /(\S*\s*)=\s*(["'])(?:(?!\2).)*\2\s?/gi;
var findTagAttrs = /(?:(<[a-z0-9]+\s*))([\s\S]*?)(>|\/>)/gi,
findStyleAndClassAttrs = /(style|class)\s*=\s*(["'])(?:(?!\2).)*\2\s?/gi;

return html.replace(findTagAttrs, function(allTagAttrs) {
return allTagAttrs.replace(findStyleAttrWithValue, function(currentAttr, attrName) {
var lowerCaseAttrName = attrName.toLowerCase();
return lowerCaseAttrName === "style" || lowerCaseAttrName === "class" ? currentAttr : "";
});
return html.replace(findTagAttrs, function(allTagAttrs, p1, p2, p3) {
p2 = (p2 && p2.match(findStyleAndClassAttrs) || []).map(function(str) {
return str;
}).join(" ");

return p1 + p2 + p3;
});
}

Expand Down
6 changes: 5 additions & 1 deletion testing/tests/DevExpress.viz.renderers/SvgElement.tests.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5489,9 +5489,12 @@ function checkDashStyle(assert, elem, result, style, value) {
}),
mixedQuotesWithStyle4 = this.createText().attr({
text: "<b src='e' style='font-size:11px;fill:#767676;font-family:\"Segoe UI\", \"Helvetica Neue\";font-weight:400;cursor:default;' >aa</b>", x: 20, y: 30
}),
withoutQuotes = this.createText().attr({
text: "<video src=1 style='font-size:11px;' onerror=alert(1)> </video>", x: 20, y: 30
});

assert.strictEqual(withoutClosingTags.DEBUG_parsedHtml, "text >with <angle brackets > without closing");
assert.strictEqual(withoutClosingTags.DEBUG_parsedHtml, "text >with <angle > without closing");
assert.strictEqual(withClosing.DEBUG_parsedHtml, "text <with>angle brackets </with >closing");
assert.strictEqual(withSimpleMarkup.DEBUG_parsedHtml, "text with markup1<a class=\"className\"></a>");
assert.strictEqual(withSimpleStyleTag.DEBUG_parsedHtml, '<b style="font-size:11px;" >aa</b>');
Expand All @@ -5501,5 +5504,6 @@ function checkDashStyle(assert, elem, result, style, value) {
assert.strictEqual(mixedQuotesWithStyle2.DEBUG_parsedHtml, '<b style=\'font-size:11px;fill:#767676;font-family:"Segoe UI", "Helvetica Neue"font-weight:400;cursor:default;\' >aa</b>');
assert.strictEqual(mixedQuotesWithStyle3.DEBUG_parsedHtml, "<b style='font-size:11px;fill:#767676;font-family:\"Segoe UI\"; cursor:default;' > </b>");
assert.strictEqual(mixedQuotesWithStyle4.DEBUG_parsedHtml, "<b style='font-size:11px;fill:#767676;font-family:\"Segoe UI\", \"Helvetica Neue\";font-weight:400;cursor:default;' >aa</b>");
assert.strictEqual(withoutQuotes.DEBUG_parsedHtml, "<video style='font-size:11px;' > </video>");
});
})();

0 comments on commit f62f5a7

Please sign in to comment.