Added some XSS blocking code. We only allow <d> and <i> tags others will be prepended with disabled.

jabbany · jabbany · commit 98cf13dd1578 · 2014-07-01T16:09:50.000-04:00
diff --git a/build/CommentCoreLibrary.js b/build/CommentCoreLibrary.js
diff --git a/demo/debugger.js b/demo/debugger.js
@@ -13,7 +13,8 @@ var tests = {
 	"test-ac-1":{"f":'tests/ACFun.json',"p":"acfun"},
 	"test-ac-2":{"f":'tests/ac940133.json',"p":"acfun"},
     "test-ts-1":"tests/invalid/no_closing.xml",
-    "test-ts-2":"tests/invalid/syntax_error.xml"
+    "test-ts-2":"tests/invalid/syntax_error.xml",
+    "test-ts-3":"tests/invalid/xss.xml"
 };
 
 var debugs = {
diff --git a/demo/index.htm b/demo/index.htm
@@ -59,7 +59,8 @@ <h3>AcFun (Experimental)</h3>
 			</div>
 			<p>TagSoup: <br>
                 <a id="test-ts-1" href="javascript:;">Tag Soup 1</a>, 
-                <a id="test-ts-2" href="javascript:;">Tag Soup 2</a>
+                <a id="test-ts-2" href="javascript:;">Tag Soup 2</a>,
+				<a id="test-ts-3" href="javascript:;">XSS</a>
 			</p>
 			<p>Filters: <br>
 				<a onclick="cm.filter.setRuntimeFilter(fefx.center_dim);" href="javascript:;">Apply Center-Transparency</a><br>
diff --git a/src/parsers/BilibiliFormat.js b/src/parsers/BilibiliFormat.js
@@ -3,7 +3,7 @@ Bilibili Format
 Licensed Under MIT License
  Takes in an XMLDoc/LooseXMLDoc and parses that into a Generic Comment List
 **/
-function BilibiliParser(xmlDoc, text){
+function BilibiliParser(xmlDoc, text, warn){
 	function fillRGB(string){
 		while(string.length < 6){
 			string = "0" + string;
@@ -18,8 +18,21 @@ function BilibiliParser(xmlDoc, text){
 	if(xmlDoc !== null){
         var elems = xmlDoc.getElementsByTagName('d');
     }else{
+    	if(warn){
+    		if(!confirm("XML Parse Error. \n Allow tag soup parsing?\n[WARNING: This is unsafe.]")){
+    			return [];
+    		}
+    	}else{
+    		// clobber some potentially bad things
+        	text = text.replace(new RegExp("</([^id])","g"), "</disabled $1");
+        	text = text.replace(new RegExp("</(\S{2,})","g"), "</disabled $1");
+        	text = text.replace(new RegExp("<([^id/]\s)","g"), "<disabled $1");
+        	text = text.replace(new RegExp("<([^/ ]{2,}\W*?)","g"), "<disabled $1");
+        	console.log(text);
+    	}
         var tmp = document.createElement("div");
         tmp.innerHTML = text;
+        console.log(tmp);
         var elems = tmp.getElementsByTagName('d');
     }
 	var tlist = [];
diff --git a/tests/invalid/xss.xml b/tests/invalid/xss.xml
@@ -0,0 +1 @@
+<img src="" onerror="alert()">
