|
@@ -1,29 +1,6 @@
|
|
|
(ns frontend.security
|
|
(ns frontend.security
|
|
|
"Provide security focused fns like preventing XSS attacks"
|
|
"Provide security focused fns like preventing XSS attacks"
|
|
|
- (:require [clojure.walk :as walk]
|
|
|
|
|
- [frontend.util :as util]
|
|
|
|
|
- ["dompurify" :as DOMPurify]))
|
|
|
|
|
-
|
|
|
|
|
-;; To prevent from cross-site scripting vulnerability, we should add security checks for both hiccup and raw html.
|
|
|
|
|
-;; Hiccup: [:a {:href "javascript:alert('hei')"} "click me"]
|
|
|
|
|
-
|
|
|
|
|
-(defn javascript-link?
|
|
|
|
|
- [f]
|
|
|
|
|
- (and
|
|
|
|
|
- (vector? f)
|
|
|
|
|
- (= :a (first f))
|
|
|
|
|
- (:href (second f))
|
|
|
|
|
- (:href (second f))
|
|
|
|
|
- (util/safe-re-find #"(?i)javascript" (:href (second f)))))
|
|
|
|
|
-
|
|
|
|
|
-(defn remove-javascript-links-in-href
|
|
|
|
|
- [hiccup]
|
|
|
|
|
- (walk/postwalk
|
|
|
|
|
- (fn [f]
|
|
|
|
|
- (if (javascript-link? f)
|
|
|
|
|
- (update f 1 dissoc :href)
|
|
|
|
|
- f))
|
|
|
|
|
- hiccup))
|
|
|
|
|
|
|
+ (:require ["dompurify" :as DOMPurify]))
|
|
|
|
|
|
|
|
(def sanitization-options (clj->js {:ADD_TAGS ["iframe"]
|
|
(def sanitization-options (clj->js {:ADD_TAGS ["iframe"]
|
|
|
:ALLOW_UNKNOWN_PROTOCOLS true
|
|
:ALLOW_UNKNOWN_PROTOCOLS true
|
Konstantinos Kaloutas