From 94b9b68b4f8d2d40b2fc1815ec5b1c6f060fa049 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=82=B9=E6=99=AF=E7=AB=8B?= <zoujingli@qq.com>
Date: Wed, 15 Sep 2021 14:35:03 +0800
Subject: [PATCH] =?UTF-8?q?=E7=BC=96=E8=BE=91=E5=99=A8xss=E8=BF=87?=
 =?UTF-8?q?=E6=BB=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 public/static/plugs/ckeditor/config.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/static/plugs/ckeditor/config.js b/public/static/plugs/ckeditor/config.js
index 6111afdd12..803575ef25 100644
--- a/public/static/plugs/ckeditor/config.js
+++ b/public/static/plugs/ckeditor/config.js
@@ -8,11 +8,13 @@ CKEDITOR.editorConfig = function (config) {
         {name: 'uimage', items: ['Link', 'Unlink', 'Table', 'UploadImage', 'UploadMusic', 'UploadVideo', 'UploadHtml']},
         {name: 'tools', items: ['Maximize']}
     ];
-    config.allowedContent = true;
     config.format_tags = 'p;h1;h2;h3;pre';
     config.extraPlugins = 'uimage,umusic,uhtml,uvideo';
     config.removeButtons = 'Underline,Subscript,Superscript';
     config.removeDialogTabs = 'image:advanced;link:advanced';
+    // 内容过滤
+    config.allowedContent = {$1: {elements: CKEDITOR.dtd, attributes: true, styles: true, classes: true}};
+    config.disallowedContent = 'script; *[on*]';
     config.font_names = '微软雅黑/Microsoft YaHei;宋体/SimSun;新宋体/NSimSun;仿宋/FangSong;楷体/KaiTi;黑体/SimHei;' + config.font_names;
 };