fix: xss_filter kill mathjax

F0RE1GNERS · Apr 23, 2017 · f62a61f · f62a61f
1 parent 680d60d
commit f62a61f
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/utils/xss_filter.py b/utils/xss_filter.py
@@ -31,21 +31,22 @@ class XssHtml(HTMLParser):
                   'p', 'div', 'em', 'span', 'h1', 'h2', 'h3', 'h4',
                   'h5', 'h6', 'blockquote', 'ul', 'ol', 'tr', 'th', 'td',
                   'hr', 'li', 'u', 'embed', 's', 'table', 'thead', 'tbody',
-                  'caption', 'small', 'q', 'sup', 'sub']
+                  'caption', 'small', 'q', 'sup', 'sub', 'script']
     common_attrs = ["style", "class", "name"]
     nonend_tags = ["img", "hr", "br", "embed"]
     tags_own_attrs = {
         "img": ["src", "width", "height", "alt", "align"],
         "a": ["href", "target", "rel", "title"],
         "embed": ["src", "width", "height", "type", "allowfullscreen", "loop", "play", "wmode", "menu"],
         "table": ["border", "cellpadding", "cellspacing"],
+        "script": ["type"],
     }
 
     _regex_url = re.compile(r'^(((http|https|ftp)://)|/).*', re.I | re.S)
     _regex_style_1 = re.compile(r'(\\|&#|/\*|\*/)', re.I)
     _regex_style_2 = re.compile(r'e.*x.*p.*r.*e.*s.*s.*i.*o.*n', re.I | re.S)
 
-    def __init__(self, allows=[]):
+    def __init__(self, allows=None):
         HTMLParser.__init__(self)
         self.allow_tags = allows if allows else self.allow_tags
         self.result = []
@@ -91,7 +92,8 @@ def handle_endtag(self, tag):
             self.start.pop()
 
     def handle_data(self, data):
-        self.result.append(self._htmlspecialchars(data))
+        # self.result.append(self._htmlspecialchars(data))
+        self.result.append(data)
 
     def handle_entityref(self, name):
         if name.isalpha():
@@ -114,6 +116,12 @@ def node_a(self, attrs):
         })
         return attrs
 
+    def node_script(self, attrs):
+        attrs = self._limit_attr(attrs, {
+            "type": ["math/tex", "math/tex; mode=display"]
+        })
+        return attrs
+
     def node_embed(self, attrs):
         attrs = self._common_attr(attrs)
         attrs = self._get_link(attrs, "src")
@@ -193,6 +201,8 @@ def _htmlspecialchars(self, html):
         <p id="test" onmouseover="alert(1)" style="expresSion(alert(1))">&gt;M<svg>
         <a href="https://www.baidu.com" target="self">MM</a></p>
         <embed src='javascript:alert(/hehe/)' allowscriptaccess=always />
-        <a href="/problem/">Problems</a>""")
+        <a href="/problem/">Problems</a>
+        <script type="math/tex">(1<n \\leq 100)</script>
+""")
     parser.close()
     print(parser.getHtml())