commit 4a8de8263b0eefa04b09a658c8c9ca6070911625
author Simon Hunt <simon@onlab.us> Wed May 17 17:09:49 2017 -0700
committer Thomas Vachuska <tom@onlab.us> Thu May 18 00:45:51 2017 +0000
tree 15474cfd6b95e1a868063c3fdab833149c72a4c6
parent 12d5ec4ce6443082909c02c52339ea5955858b37

Web UI: augment sanitize() function
 to allow parameterized RE generation from evillist.

Change-Id: I0c41b973c1fdbac190d22806f08bb6fe107a7118

web/gui/src/main/webapp/app/fw/util/fn.js

diff --git a/web/gui/src/main/webapp/app/fw/util/fn.js b/web/gui/src/main/webapp/app/fw/util/fn.js
index 9706478..2d55623 100644
--- a/web/gui/src/main/webapp/app/fw/util/fn.js
+++ b/web/gui/src/main/webapp/app/fw/util/fn.js
@@ -436,11 +436,11 @@
 
     var matcher = /<\/?([a-zA-Z0-9]+)*(.*?)\/?>/igm,
         whitelist = ['b', 'i', 'p', 'em', 'strong'],
-        warnlist = ['script', 'style'];
+        evillist = ['script', 'style', 'iframe'];
 
-    // Returns true if the tag is in the warn list, (and is not an end-tag)
-    function inWarnList(tag) {
-        return (warnlist.indexOf(tag.name) !== -1 && tag.full.indexOf('/') === -1);
+    // Returns true if the tag is in the evil list, (and is not an end-tag)
+    function inEvilList(tag) {
+        return (evillist.indexOf(tag.name) !== -1 && tag.full.indexOf('/') === -1);
     }
 
     function analyze(html) {
@@ -466,15 +466,17 @@
 
         var matches = analyze(html);
 
-        // do not allow script tags or style tags
-        html = html.replace(/<script(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/script>/gim, '');
-        html = html.replace(/<style(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/style>/gim, '');
+        // completely obliterate evil tags and their contents...
+        evillist.forEach(function (tag) {
+            var re = new RegExp('<' + tag + '(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/' + tag + '>', 'gim');
+            html = html.replace(re, '');
+        });
 
-        // filter out all but whitelisted tag types
+        // filter out all but white-listed tags and end-tags
         matches.forEach(function (tag) {
             if (whitelist.indexOf(tag.name) === -1) {
                 html = html.replace(tag.full, '');
-                if (inWarnList(tag)) {
+                if (inEvilList(tag)) {
                     $log.warn('Unsanitary HTML input -- ' + tag.full + ' detected!');
                 }
             }

web/gui/src/main/webapp/tests/app/fw/util/fn-spec.js

diff --git a/web/gui/src/main/webapp/tests/app/fw/util/fn-spec.js b/web/gui/src/main/webapp/tests/app/fw/util/fn-spec.js
index a7bda70..257c90d 100644
--- a/web/gui/src/main/webapp/tests/app/fw/util/fn-spec.js
+++ b/web/gui/src/main/webapp/tests/app/fw/util/fn-spec.js
@@ -480,6 +480,15 @@
         );
     });
 
+
+    it('should log a warning for < iframe > tags', function () {
+        spyOn($log, 'warn');
+        chkSan('Foo<iframe><body><h1>fake</h1></body></iframe>Bar', 'FooBar');
+        expect($log.warn).toHaveBeenCalledWith(
+            'Unsanitary HTML input -- <iframe> detected!'
+        );
+    });
+
     it('should completely strip < script >, remove < a >, retain < i >', function () {
         chkSan(
             'Hey <i>this</i> is <script>alert("foo");</script> <a href="meh">cool</a>',