Skip to content

Commit

Permalink
Merge branch 'develop' into 23_RO-Crate_previewer
Browse files Browse the repository at this point in the history
  • Loading branch information
ErykKul authored Oct 17, 2023
2 parents 0899bf0 + 81c4682 commit 3410338
Show file tree
Hide file tree
Showing 4 changed files with 128 additions and 0 deletions.
25 changes: 25 additions & 0 deletions 5.2curlcommands.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,31 @@ curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin
}'
```

> Rich HTML Previewer - Potential Issues if used with malicious content
```bash
curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin/externalTools -d \
'{
"displayName":"Rich HTML Previewer",
"description":"View the html file and run potentially malicious JavaScript. Useful for interactive HTML files that use e.g. Plotly",
"toolName":"richHtmlPreviewer",
"scope":"file",
"types":["preview"],
"toolUrl":"https://gdcc.github.io/dataverse-previewers/previewers/betatest/RichHtmlPreview.html",
"toolParameters": {
"queryParameters":[
{"fileid":"{fileId}"},
{"siteUrl":"{siteUrl}"},
{"key":"{apiToken}"},
{"datasetid":"{datasetId}"},
{"datasetversion":"{datasetVersion}"},
{"locale":"{localeCode}"}
]
},
"contentType":"text/html"
}'
```

```bash
curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin/externalTools -d \
'{
Expand Down
39 changes: 39 additions & 0 deletions previewers/betatest/RichHtmlPreview.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
<html>
<head>
<meta charset="utf-8" />
<title class="htmlPreviewText">Html Preview</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script type="text/javascript" src="js/xss.js"></script>
<script type="text/javascript" src="js/richhtml.js"></script>
<script src="lib/jquery.i18n.js"></script>
<script src="lib/jquery.i18n.messagestore.js"></script>
<script src="lib/jquery.i18n.language.js"></script>
<script type="text/javascript" src="js/retriever.js"></script>
<!-- Latest compiled and minified CSS -->
<link
rel="stylesheet"
href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css"
integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu"
crossorigin="anonymous"
/>
<!-- Optional theme -->
<link
rel="stylesheet"
href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap-theme.min.css"
integrity="sha384-6pzBo3FDv/PJ8r2KRkGHifhEocL+1X2rVCTTkUfGk7/0pbek5mMa1upzvWbrUbOZ"
crossorigin="anonymous"
/>
<link type="text/css" rel="stylesheet" href="css/preview.css" />
</head>

<body class="container">
<main>
<img id="logo" alt="Site Logo" />
<h1 class="page-title htmlPreviewText">Insecure Html Preview</h1>
<div class="preview-container">
<div class="preview-header"></div>
<div class="preview"></div>
</div>
</main>
</body>
</html>
1 change: 1 addition & 0 deletions previewers/betatest/i18n/en.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
"audioPreviewText": "Audio Preview",
"csvPreviewText": "Csv Preview",
"htmlPreviewText": "Html Preview",
"richHtmlPreviewText": "This data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse.",
"annotationsText": "Annotations",
"imagePreviewText": "Image Preview",
"mapPreviewText": "Map Preview",
Expand Down
63 changes: 63 additions & 0 deletions previewers/betatest/js/richhtml.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
$(document).ready(function () {

const MESSAGE = $.i18n("richHtmlPreviewText")
userConfirms = confirm(MESSAGE)

if (userConfirms) {
// Preview the HTML file
startPreview(true);
} else {
// Redirect to the file page
queryParams = new URLSearchParams(window.location.search.substring(1));
var siteUrl = queryParams.get("siteUrl");
var fileID = queryParams.get("fileid");
var versionUrl = siteUrl + "/api/datasets/"
+ queryParams.get("datasetid") + "/versions/"
+ queryParams.get("datasetversion");

fetchMetaAndRedirect(versionUrl, fileID, siteUrl);
}
});

function fetchMetaAndRedirect(versionURL, fileID, siteUrl) {
$.ajax({
type: 'GET',
dataType: "json",
crosssite: true,
url: versionURL,
success: function (data, status) {
console.log(data);
redirectToFilePage(data, siteUrl, fileID);
},
error: function (request, status, error) {
alert("Could not find persistent ID for file. Redirecting to the Dataverse page.")
window.location.replace(siteUrl);
}
});
}

function redirectToFilePage(data, siteUrl, fileID) {
// Search for the file ID in the JSON
const files = data.data.files
const persistentFile = files.find(file => file.dataFile.id == fileID)
const persistentFileId = persistentFile.dataFile.persistentId
const fileVersion = persistentFile.version

// Redirect to the file page
const fileUrl = siteUrl + "/file.xhtml?persistentId=" + persistentFileId + "&version=" + fileVersion
window.location.replace(fileUrl);
}

function translateBaseHtmlPage() {
var htmlPreviewText = $.i18n("htmlPreviewText");
$('.htmlPreviewText').text(htmlPreviewText);
}

function writeContentAndData(data, fileUrl, file, title, authors) {
addStandardPreviewHeader(file, title, authors);
options = {
"stripIgnoreTag": true,
}; // Custom rules

$('.preview').append($("<div/>").html(data));
}

0 comments on commit 3410338

Please sign in to comment.