commit 706a180c67d5b69ab02e9ee969be694061dbe62d
author Simon Hunt <simon@onlab.us> Wed May 17 16:42:32 2017 -0700
committer Simon Hunt <simon@onlab.us> Fri May 19 15:29:32 2017 +0000
tree bf71a453b927c94add173efe50bf3b47cd938afe
parent 6aac25167cea325219a935b7fd2bc0cc6b475831

Web UI: add sanitize() function to fn.js library.

Change-Id: I2d8fedf737dfaa86362b83edab57967888414088
(cherry picked from commit 0fe05d6c80d17c7dd19528ad63914767934416f0)

web/gui/src/main/webapp/app/fw/util/fn.js

diff --git a/web/gui/src/main/webapp/app/fw/util/fn.js b/web/gui/src/main/webapp/app/fw/util/fn.js
index e3b9600..9706478 100644
--- a/web/gui/src/main/webapp/app/fw/util/fn.js
+++ b/web/gui/src/main/webapp/app/fw/util/fn.js
@@ -430,6 +430,61 @@
         return child;
     }
 
+    // -----------------------------------------------------------------
+    // The next section deals with sanitizing external strings destined
+    // to be loaded via a .html() function call.
+
+    var matcher = /<\/?([a-zA-Z0-9]+)*(.*?)\/?>/igm,
+        whitelist = ['b', 'i', 'p', 'em', 'strong'],
+        warnlist = ['script', 'style'];
+
+    // Returns true if the tag is in the warn list, (and is not an end-tag)
+    function inWarnList(tag) {
+        return (warnlist.indexOf(tag.name) !== -1 && tag.full.indexOf('/') === -1);
+    }
+
+    function analyze(html) {
+        html = String(html) || '';
+
+        var matches = [],
+            match;
+
+        // extract all tags
+        while ((match = matcher.exec(html)) !== null) {
+            matches.push({
+                full: match[0],
+                name: match[1]
+                // NOTE: ignoring attributes {match[2].split(' ')} for now
+            });
+        }
+
+        return matches;
+    }
+
+    function sanitize(html) {
+        html = String(html) || '';
+
+        var matches = analyze(html);
+
+        // do not allow script tags or style tags
+        html = html.replace(/<script(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/script>/gim, '');
+        html = html.replace(/<style(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/style>/gim, '');
+
+        // filter out all but whitelisted tag types
+        matches.forEach(function (tag) {
+            if (whitelist.indexOf(tag.name) === -1) {
+                html = html.replace(tag.full, '');
+                if (inWarnList(tag)) {
+                    $log.warn('Unsanitary HTML input -- ' + tag.full + ' detected!');
+                }
+            }
+        });
+
+        // TODO: consider encoding HTML entities, e.g. '&' -> '&amp;'
+
+        return html;
+    }
+
 
     angular.module('onosUtil')
         .factory('FnService',
@@ -469,7 +524,8 @@
                 removeFromTrie: removeFromTrie,
                 trieLookup: trieLookup,
                 classNames: classNames,
-                extend: extend
+                extend: extend,
+                sanitize: sanitize
             };
     }]);