liweichun
/
my-bookmark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

xss attack

This commit is contained in:
luchenqun 2019-05-17 09:58:31 +08:00
parent 3451d4e784
commit 6aef48306d
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
package.json
View File

@ -22,6 +22,7 @@
"node-readability": "^2.2.0", "node-readability": "^2.2.0",
"path": "^0.12.7", "path": "^0.12.7",
"request": "^2.81.0", "request": "^2.81.0",
"supervisor": "^0.11.0" "supervisor": "^0.11.0",
"xss": "^1.0.6"
} }
} }

8
routes/api.js
View File

@ -11,6 +11,7 @@ var request = require('request');
var cheerio = require('cheerio'); var cheerio = require('cheerio');
var path = require('path'); var path = require('path');
var beautify_html = require('js-beautify').html; var beautify_html = require('js-beautify').html;
var xss = require('xss');
var storage = multer.diskStorage({ var storage = multer.diskStorage({
destination: function(req, file, cb) { destination: function(req, file, cb) {
@ -1432,7 +1433,9 @@ api.get('/notes', function(req, res) {
.catch((err) => console.log('notes', err)); .catch((err) => console.log('notes', err));
} else { } else {
db.getNote(params.shareNote) db.getNote(params.shareNote)
.then((data) => res.send(` .then((data) => {
data = xss(data);
res.send(`
<body style="margin:0px;height:100%;"> <body style="margin:0px;height:100%;">
<head> <head>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no, minimal-ui"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no, minimal-ui">
@ -1449,7 +1452,8 @@ api.get('/notes', function(req, res) {
<div id="note-div" style="text-align:center;"> <div id="note-div" style="text-align:center;">
<pre id="note" style="background-color:RGB(243,244,245); padding:0px 10px 0px 10px; margin:0px; width:60%; min-height:100%;display: inline-block;text-align: left; font-size: 15px; font-family:italic arial,sans-serif;word-wrap: break-word;white-space: pre-wrap;">\n\n${data}\n\n</pre> <pre id="note" style="background-color:RGB(243,244,245); padding:0px 10px 0px 10px; margin:0px; width:60%; min-height:100%;display: inline-block;text-align: left; font-size: 15px; font-family:italic arial,sans-serif;word-wrap: break-word;white-space: pre-wrap;">\n\n${data}\n\n</pre>
</div> </div>
</body>`)) </body>`)
})
.catch((err) => console.log('notes', err)); .catch((err) => console.log('notes', err));
} }
} else { } else {