fix xss (#2531)

src/data/extra/web/js/markdown-it/markdown-it-xss.js

@@ -4,17 +4,24 @@
 module.exports = function protect_xss(md, opts = {}) {
   const proxy = (tokens, idx, options, env, self) => self.renderToken(tokens, idx, options);
   const defaultHtmlInlineRenderer = md.renderer.rules.html_inline || proxy;
+  const defaultHtmlBlockRenderer = md.renderer.rules.html_block || proxy;
+  opts.whiteList = {...window.filterXSS.getDefaultWhiteList(), ...opts.whiteList};
+  // Do not escape value when it is a tag and attr in the whitelist.
+  opts.safeAttrValue = (tag, name, value, cssFilter) => { return value; }
 
   function protectFromXSS(html) {
     return filterXSS(html, opts);
   }
 
-  function filterContent(tokens, idx, options, env, slf) {
+  function filterContent(tokens, idx, options, env, slf, fallback) {
     tokens[idx].content = protectFromXSS(tokens[idx].content);
-    return defaultHtmlInlineRenderer(tokens, idx, options, env, slf);
+    return fallback(tokens, idx, options, env, slf);
   }
 
-  md.renderer.rules.html_inline = filterContent;
+  md.renderer.rules.html_inline = (tokens, idx, options, env, slf) =>
+    filterContent(tokens, idx, options, env, slf, defaultHtmlInlineRenderer);
+  md.renderer.rules.html_block = (tokens, idx, options, env, slf) =>
+    filterContent(tokens, idx, options, env, slf, defaultHtmlBlockRenderer);
 };
 
 },{}]},{},[1])(1)

src/data/extra/web/js/markdownit.js

@@ -214,13 +214,6 @@ class MarkdownIt extends VxWorker {
                                   this.mdit.use(window.markdownItXSS, {
                                       whiteList: {
                                           input: ["style", "class", "disabled", "type", "checked"],
-                                          mark: ["style", "class"],
-                                          font: ["style", "color", "class"],
-                                          sub: ["style", "class"],
-                                          sup: ["style", "class"],
-                                          details: ["style", "class"],
-                                          summary: ["style", "class"],
-                                          ins: ["style", "class"],
                                           span: ["style", "class"],
                                       }
                                   });

src/widgets/framelessmainwindow/framelessmainwindowwin.h

@@ -14,9 +14,9 @@ namespace vnotex
 
     protected:
 #if (QT_VERSION >= QT_VERSION_CHECK(6,0,0))
-        bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result);
+        bool nativeEvent(const QByteArray &p_eventType, void *p_message, qintptr *p_result) Q_DECL_OVERRIDE;
 #else
-        bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result);
+        bool nativeEvent(const QByteArray &p_eventType, void *p_message, long *p_result) Q_DECL_OVERRIDE;
 #endif
 
         void moveEvent(QMoveEvent *p_event) Q_DECL_OVERRIDE;