From fce2a16e42ba90005c9b9d63fbea6b3e565e6277 Mon Sep 17 00:00:00 2001
From: Toan <toan@horical.com>
Date: Sun, 5 Jul 2020 23:04:22 +0700
Subject: [PATCH] add security level antiscript option, to let use rich html
 format but remove all script element.

---
 src/config.js                      |  3 +-
 src/diagrams/common/common.js      | 45 +++++++++++++++++++++++++-----
 src/diagrams/common/common.spec.js | 26 +++++++++++++++++
 3 files changed, 66 insertions(+), 8 deletions(-)
 create mode 100644 src/diagrams/common/common.spec.js

diff --git a/src/config.js b/src/config.js
index 5f254342c4..d2a4736a35 100644
--- a/src/config.js
+++ b/src/config.js
@@ -77,11 +77,12 @@ const config = {
   /**
    *| Parameter | Description |Type | Required | Values|
    *| --- | --- | --- | --- | --- |
-   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose |
+   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
    *
    ***Notes:
    *-   **strict**: (**default**) tags in text are encoded, click functionality is disabeled
    *-   **loose**: tags in text are allowed, click functionality is enabled
+   *-   **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
    */
   securityLevel: 'strict',
 
diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js
index 8362449a09..2389654036 100644
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -5,6 +5,30 @@ export const getRows = s => {
   return str.split('#br#');
 };
 
+export const removeScript = txt => {
+  var rs = '';
+  var idx = 0;
+
+  while (idx >= 0) {
+    idx = txt.indexOf('<script');
+    if (idx >= 0) {
+      rs += txt.substr(0, idx);
+      txt = txt.substr(idx + 1);
+
+      idx = txt.indexOf('</script>');
+      if (idx >= 0) {
+        idx += 9;
+        txt = txt.substr(idx);
+      }
+    } else {
+      rs += txt;
+      idx = -1;
+      break;
+    }
+  }
+  return rs;
+};
+
 export const sanitizeText = (text, config) => {
   let txt = text;
   let htmlLabels = true;
@@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => {
   )
     htmlLabels = false;
 
-  if (config.securityLevel !== 'loose' && htmlLabels) {
-    // eslint-disable-line
-    txt = breakToPlaceholder(txt);
-    txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    txt = txt.replace(/=/g, '&equals;');
-    txt = placeholderToBreak(txt);
+  if (htmlLabels) {
+    var level = config.securityLevel;
+
+    if (level == 'antiscript') {
+      txt = removeScript(txt);
+    } else if (level !== 'loose') {
+      // eslint-disable-line
+      txt = breakToPlaceholder(txt);
+      txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+      txt = txt.replace(/=/g, '&equals;');
+      txt = placeholderToBreak(txt);
+    }
   }
 
   return txt;
@@ -48,5 +78,6 @@ export default {
   sanitizeText,
   hasBreaks,
   splitBreaks,
-  lineBreakRegex
+  lineBreakRegex,
+  removeScript
 };
diff --git a/src/diagrams/common/common.spec.js b/src/diagrams/common/common.spec.js
new file mode 100644
index 0000000000..ecf2dc3d5b
--- /dev/null
+++ b/src/diagrams/common/common.spec.js
@@ -0,0 +1,26 @@
+import { removeScript } from './common';
+
+describe('when securityLevel is antiscript, all script must be removed', function() {
+  it('should remove all script block, script inline.', function() {
+    const labelString = `1
+		Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
+		<b>Act2</b>:
+		1<script>
+			alert('script run......');
+		</script>1
+	1`;
+
+	const result = removeScript(labelString);
+	const hasScript = (result.indexOf("script") >= 0);
+    expect(hasScript).toEqual(false);
+
+	const exactlyString = `1
+		Act1: Hello 11
+		<b>Act2</b>:
+		11
+	1`;
+
+	const isEqual = (result == exactlyString);
+    expect(isEqual).toEqual(true);
+  });
+});