Skip to content

Commit

Permalink
remove comments and improve regex for preventing
Browse files Browse the repository at this point in the history
  • Loading branch information
@randhirexpresstech
randhirexpresstech committed Feb 26, 2024
1 parent 85d99f0 commit 26e4f36
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 34 deletions.
41 changes: 8 additions & 33 deletions js/qsm-admin.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1336,20 +1336,9 @@ if(current_id == 'qsm_variable_text'){ jQuery(".current_variable")[0].click();}
});

function sanitizeHtml(content) {

// Remove non empty p tag
//content = content.replace(/<p([^>]*)>(?!\s*<\/p>)(.*?)<\/p>/gi, '$2');

// Replace br with /n
//content = content.replace(/<br \/>/gi, '\n');

// Decode HTML
// var txt = document.createElement("textarea");
// txt.innerHTML = content;
// content = txt.value;

// Match <img> tags with src attributes
content = content.replace(/<img\s+[^>]*src\s*=\s*['"]([^'"]+)['"][^>]*>/gi, function(match, src) {
content = content.replace(/<img\b.*?src\s*=\s*['"]([^'"]+)['"].*?>/gi, function(match, src) {
src = ( 'undefined' === typeof src || null === src ) ? '': src.split('?')[0];
// Check if the src URL is valid (ends with .jpg, .jpeg, .png, or .gif)
if (src.match(/\.(jpg|jpeg|png|gif|webp)$/i)) {
Expand All @@ -1360,7 +1349,11 @@ if(current_id == 'qsm_variable_text'){ jQuery(".current_variable")[0].click();}
});

// Remove style attribute
content = content.replace(/style\s*=\s*(['"])(.*?)\1/gi, '')
content = content.replace(/style\s*=\s*(['"])(.*?)\1/gi, '');

// Remove background attribute
content = content.replace(/background\s*=\s*(['"])(.*?)\1/gi, '');

// Remove 'javascript:' injection, alert, prompt, confirm
content = content.replace(/javascript:/gi, '');
content = content.replace(/alert\(/gi, '');
Expand All @@ -1376,26 +1369,8 @@ if(current_id == 'qsm_variable_text'){ jQuery(".current_variable")[0].click();}
content = content.replace(/<link\b[^>]*>/gi, '');

// Remove any on event attributes
content = content.replace(/\s*on\w+\s*=\s*("[^"]*"|\'[^\']*\'|[^\s>]+)/gi, '');

// Remove any javascript: URLs
content = content.replace(/<[^>]+?\s+[^>]*?=\s*["']?\s*javascript:.*?\s*["']?[^>]*>/gi, '');

// Encode Html
// txt = document.createElement('textarea');
// txt.innerText = content;
// content = txt.innerHTML;
// Decode empty QSM variable
// content = content.replace(/&lt;span class=&quot;qsm-highlight-variables&quot;&gt;([^&]+)&lt;\/span&gt;/gi, '<span class="qsm-highlight-variables">$1</span>');
// content = content.replace(/&lt;span class="qsm-highlight-variables"&gt;([^&]+)&lt;\/span&gt;/gi, '<span class="qsm-highlight-variables">$1</span>');

// Decode empty br tag
// content = content.replace(/&lt;br \/&gt;/gi, '<br />');
// content = content.replace(/&lt;br \/&gt;/gi, '<br />');
// content = content.replace(/\n/gi, '<br />');
// Decode empty p tag
// content = content.replace(/&lt;p&gt;&nbsp;&lt;\/p&gt;/gi, '<p> </p>');

content = content.replace(/on\w+\s*=\s*(['"][^'"]*['"]|[^>\s]+)/gi, '');

return content;
}

Expand Down
5 changes: 4 additions & 1 deletion php/classes/class-qsm-results-pages.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,9 @@ public static function sanitize_html( $html = '' ) {
// Remove styles attributes
$html = preg_replace('/(<[^>]+) style=".*?"/i', '$1', $html);

// Remove background attributes
$html = preg_replace('/(<[^>]+) background=".*?"/i', '$1', $html);

// Remove input tags
$html = preg_replace('/<input\b[^>]*>/i', '', $html);

Expand All @@ -354,7 +357,7 @@ public static function sanitize_html( $html = '' ) {
if (in_array(strtolower($file_extension), $valid_image_types) &&
isset($url_parts['scheme']) && in_array(strtolower($url_parts['scheme']), array('http', 'https')) &&
empty($url_parts['query'])) {
return '<img src="' . esc_url( $src ) . '">';
return $matches[0];
} else {
return '';
}
Expand Down

0 comments on commit 26e4f36

Please sign in to comment.