From 46ef5326e4874603f3d4e05f05a304496d0b6475 Mon Sep 17 00:00:00 2001
From: zmister <zmister@qq.com>
Date: Wed, 20 Oct 2021 14:07:22 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dice=E5=AF=8C=E6=96=87?=
 =?UTF-8?q?=E6=9C=AC=E7=BC=96=E8=BE=91=E5=99=A8=E4=B8=AD=E6=8F=92=E5=85=A5?=
 =?UTF-8?q?=E5=9B=BE=E7=89=87URL=E9=93=BE=E6=8E=A5=E7=9A=84XSS=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 static/mrdoc/mrdoc.editor.js             | 3 ++-
 template/app_doc/editor/create_base.html | 1 +
 template/app_doc/editor/create_doc.html  | 2 +-
 template/app_doc/editor/modify_doc.html  | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/static/mrdoc/mrdoc.editor.js b/static/mrdoc/mrdoc.editor.js
index 4ca1971b0..a4e3557bf 100644
--- a/static/mrdoc/mrdoc.editor.js
+++ b/static/mrdoc/mrdoc.editor.js
@@ -393,7 +393,8 @@ insertImg = function(e){
 // 按钮点击插入输入框图片链接
 insertImgUrl = function(){
     if(editor_mode == 3){
-        editor.addValue('<img src="' + $("#img_url_input").val() + '" />')
+        img_str = DOMPurify.sanitize('<img src="' + $("#img_url_input").val() + '" />',{ADD_TAGS: ['iframe']})
+        editor.addValue(img_str)
     }else{
         editor.insertValue("\n![](" + $("#img_url_input").val() + ")");
         editor.focus()
diff --git a/template/app_doc/editor/create_base.html b/template/app_doc/editor/create_base.html
index ea476448e..e04627a9f 100644
--- a/template/app_doc/editor/create_base.html
+++ b/template/app_doc/editor/create_base.html
@@ -234,6 +234,7 @@
         {% elif editor_mode == 3 %}
             <!-- iceEditor富文本编辑器 -->
             <script src="{% static 'iceEditor/src/iceEditor.min.js' %}?version={{mrdoc_version}}"></script>
+            <script src="{% static 'editor.md/lib/purify.min.js' %}?version={{mrdoc_version}}"></script>
             {% include 'app_doc/editor/tpl_editor_ice.html' %}
         {% elif editor_mode == 4 %}
             <!-- 在线表格 -->
diff --git a/template/app_doc/editor/create_doc.html b/template/app_doc/editor/create_doc.html
index 3215f7ab4..37674e5f2 100644
--- a/template/app_doc/editor/create_doc.html
+++ b/template/app_doc/editor/create_doc.html
@@ -272,7 +272,7 @@
                 var content = editor.getHTML()
                 var pre_content = editor.getValue()
             }else if(editor_mode == 3){
-                var content = editor.getHTML()
+                var content = DOMPurify.sanitize(editor.getHTML(),{ADD_TAGS: ['iframe']})
                 var pre_content = editor.getText()
             }else if(editor_mode == 4){
                 var content  = '';
diff --git a/template/app_doc/editor/modify_doc.html b/template/app_doc/editor/modify_doc.html
index adfef6308..9af8a6694 100644
--- a/template/app_doc/editor/modify_doc.html
+++ b/template/app_doc/editor/modify_doc.html
@@ -249,7 +249,7 @@
                 var content = editor.getHTML()
                 var pre_content = editor.getValue()
             }else if(editor_mode == 3){
-                var content = editor.getHTML()
+                var content = DOMPurify.sanitize(editor.getHTML(),{ADD_TAGS: ['iframe']})
                 var pre_content = editor.getText()
             }else if(editor_mode == 4){
                 var content  = '';