feat: add basic html sanitizer w/regex to avoid xss scripting attack (#…

…652)
6pac · Oct 22, 2021 · ffc682b · ffc682b · syonfox · Dec 2, 2021
1 parent c6cfe18
commit ffc682b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 18 deletions.
diff --git a/plugins/slick.customtooltip.js b/plugins/slick.customtooltip.js
@@ -10,7 +10,7 @@
  * var customTooltipPlugin = new Slick.Plugins.CustomTooltip(columns, grid options);
  *
  * Available plugin options (same options are available in both column definition and/or grid options)
- *  
+ *
  * Example 1  - via Column Definition
  *  var columns = [
  *    {
@@ -21,7 +21,7 @@
  *      }
  *    }
  *  ];
- * 
+ *
  *  OR Example 2 - via Grid Options (for all columns), NOTE: the column definition tooltip options will win over the options defined in the grid options
  *  var gridOptions = {
  *    enableCellNavigation: true,
@@ -466,9 +466,9 @@
       if (typeof formatterOrText === 'function') {
         var tooltipText = formatterOrText(cell.row, cell.cell, value, columnDef, item, _grid);
         var formatterText = (typeof tooltipText === 'object' && tooltipText && tooltipText.text) ? tooltipText.text : (typeof tooltipText === 'string' ? tooltipText : '');
-        return sanitizeHtmlString(formatterText);
+        return _grid.sanitizeHtmlString(formatterText);
       } else if (typeof formatterOrText === 'string') {
-        return sanitizeHtmlString(formatterOrText);
+        return _grid.sanitizeHtmlString(formatterOrText);
       }
       return '';
     }
@@ -485,7 +485,7 @@
       outputText = (_cellTooltipOptions.tooltipTextMaxLength && outputText.length > _cellTooltipOptions.tooltipTextMaxLength) ? outputText.substr(0, _cellTooltipOptions.tooltipTextMaxLength - 3) + '...' : outputText;
 
       if (!tooltipText || (_cellTooltipOptions && _cellTooltipOptions.renderRegularTooltipAsHtml)) {
-        _tooltipElm.innerHTML = sanitizeHtmlString(outputText);
+        _tooltipElm.innerHTML = _grid.sanitizeHtmlString(outputText);
         _tooltipElm.style.whiteSpace = (_cellTooltipOptions && _cellTooltipOptions.whiteSpace) || _defaultOptions.whiteSpace;
       } else {
         _tooltipElm.textContent = outputText || '';
@@ -531,11 +531,6 @@
       _options = $.extend({}, _options, newOptions);
     }
 
-    /** basic html sanitizer to avoid xss */
-    function sanitizeHtmlString(dirtyHtml) {
-      return typeof dirtyHtml === 'string' ? dirtyHtml.replace(/(\b)(on\S+)(\s*)=|javascript:([^>]*)[^>]*|(<\s*)(\/*)script([<>]*).*(<\s*)(\/*)script([<>]*)/gi, '') : '';
-    }
-
     // Public API
     $.extend(this, {
       "init": init,

diff --git a/slick.grid.js b/slick.grid.js
@@ -2424,13 +2424,13 @@ if (typeof Slick === "undefined") {
         headerWidth = getColHeaderWidth(columnDef);
       }
       if (headerWidth === 0) {
-        headerWidth = (columnDef.width ? columnDef.width 
-          : (columnDef.maxWidth ? columnDef.maxWidth 
+        headerWidth = (columnDef.width ? columnDef.width
+          : (columnDef.maxWidth ? columnDef.maxWidth
             : (columnDef.minWidth ? columnDef.minWidth : 20)
             )
         );
       }
-      
+
       if (autoSize.colValueArray) {
         // if an array of values are specified, just pass them in instead of data
         maxColWidth = getColWidth(columnDef, $gridCanvas, autoSize.colValueArray);
@@ -3485,10 +3485,10 @@ if (typeof Slick === "undefined") {
     function applyFormatResultToCellNode(formatterResult, cellNode, suppressRemove) {
         if (formatterResult === null || formatterResult === undefined) { formatterResult = ''; }
         if (Object.prototype.toString.call(formatterResult)  !== '[object Object]') {
-          cellNode.innerHTML = formatterResult;
+          cellNode.innerHTML = sanitizeHtmlString(formatterResult);
           return;
         }
-        cellNode.innerHTML = formatterResult.text;
+        cellNode.innerHTML = sanitizeHtmlString(formatterResult.text);
         if (formatterResult.removeClasses && !suppressRemove) {
           $(cellNode).removeClass(formatterResult.removeClasses);
         }
@@ -3995,7 +3995,7 @@ if (typeof Slick === "undefined") {
       }
 
       var x = document.createElement("div");
-      x.innerHTML = stringArray.join("");
+      x.innerHTML = sanitizeHtmlString(stringArray.join(""));
 
       var processedRow;
       var node;
@@ -4059,8 +4059,8 @@ if (typeof Slick === "undefined") {
       var x = document.createElement("div"),
         xRight = document.createElement("div");
 
-      x.innerHTML = stringArrayL.join("");
-      xRight.innerHTML = stringArrayR.join("");
+      x.innerHTML = sanitizeHtmlString(stringArrayL.join(""));
+      xRight.innerHTML = sanitizeHtmlString(stringArrayR.join(""));
 
       for (var i = 0, ii = rows.length; i < ii; i++) {
         if (( hasFrozenRows ) && ( rows[i] >= actualFrozenRow )) {
@@ -5924,6 +5924,10 @@ if (typeof Slick === "undefined") {
       }
     }
 
+    /** basic html sanitizer to avoid scripting attack */
+    function sanitizeHtmlString(dirtyHtml) {
+      return typeof dirtyHtml === 'string' ? dirtyHtml.replace(/(\b)(on\S+)(\s*)=|javascript:([^>]*)[^>]*|(<\s*)(\/*)script([<>]*).*(<\s*)(\/*)script(>*)|(&lt;)(\/*)(script|script defer)(.*)(&gt;|&gt;">)/gi, '') : dirtyHtml;
+    }
 
     //////////////////////////////////////////////////////////////////////////////////////////////
     // Debug
@@ -6116,6 +6120,7 @@ if (typeof Slick === "undefined") {
       "getCellCssStyles": getCellCssStyles,
       "getFrozenRowOffset": getFrozenRowOffset,
       "setColumnHeaderVisibility": setColumnHeaderVisibility,
+      "sanitizeHtmlString": sanitizeHtmlString,
 
       "init": finishInitialization,
       "destroy": destroy,