search

hinesboy / mavonEditor

mavonEditor - A markdown editor based on Vue that supports a variety of personalized features
http://www.mavoneditor.com/
MIT License
6.45k stars 918 forks source link

如何开启xss防御 #472

Closed itDjango closed 3 years ago

itDjango commented 5 years ago

image

guang19 commented 5 years ago

吓得我

guang19 commented 5 years ago

得去看看

itDjango commented 5 years ago

得去看看

所以你的项目有这个问题吗? 或者你怎么解决的?

guang19 commented 5 years ago

我暂时还没又发现耶,可能是因为我对这个不是特别熟悉吧。

itDjango commented 5 years ago

我暂时还没又发现耶,可能是因为我对这个不是特别熟悉吧。

你在编辑器里面 输入

image

不会弹吗

guang19 commented 5 years ago

image tan'le弹了

guang19 commented 5 years ago

可是我不知道咋整呀

itDjango commented 5 years ago

可是我不知道咋整呀

这是比较严重的安全问题,如果你项目对安全性要求很高的话! 我也没有找到解决办法,所以问问其他人有没有好的解决方案

guang19 commented 5 years ago

嗯嗯,感谢

chenghuan10081 commented 5 years ago

555 试试

qifengwangye commented 5 years ago

@hinesboy 大哥,这个怎么解决啊

pengqiangsheng commented 5 years ago

这个用转义 export const unHtml = (str) => { return str ? str.replace(/[<">']/g, (a) => { return { '<': '<', '"': '"', '>': '>', "'": ''' }[a] }) : '' } -------------例子----------------- const str = "

" newStr = unHtml(str) console.log(newStr) // <p></p>

iamKyun commented 4 years ago

刚npm安装完这插件就提示有安全漏洞了,貌似全部版本都有影响,只能自己先解决了

PuZhiweizuishuai commented 4 years ago

前端不太熟,不知道怎么办,但我在写后端时我是直接用spring的HtmlUtils做转义的。

itDjango commented 4 years ago

这个用转义 export const unHtml =(str)=> { return str?str.replace(/ [<“>'] / g,(a)=> { return { '<':'<', '”':'“', '>':'>', ”'“: ''' } [a] }):'' } -------------例子----------------- const str =“

“ newStr = unHtml(str) console.log(newStr) //

</ p>

你这个方法可以解决他一边输入一边预览时xss吗? 俗称XSS自己。

itDjango commented 4 years ago

前端不太熟,不知道怎么办,但我在写初步时我是直接用spring的HtmlUtils做转义的。

这个问题后台转义没用的,因为他是在输入的时候即时XSS,在输入完成后前端把数据传给后台时前端可以进行转义,后台也可以转义。 但是就是他在一边输入一边预览时,不知道怎么禁止XSS。

itDjango commented 4 years ago

反正我后来是放了了这个编辑器,换了别的。因为我们对安全要求很高,XSS自己也不行。

WRCoding commented 4 years ago

反正我后来是放了了这个编辑器,换了别的。因为我们对安全要求很高,XSS自己也不行。

大哥,最后你换成了那个编辑器,能推荐下吗

NateScarlet commented 4 years ago

Duplicate of #285

我暂时是选择的禁用 html 不过看 #368 好像禁用了还是有问题 不知道什么情况

jonathanpmartins commented 4 years ago

I just intalled this editor, soon after...

Screenshot from 2020-04-03 20-54-13

Visiting the npm advisory website I get this: Screenshot from 2020-04-03 20-57-35

Any updates? This is bad security practice...

itDjango commented 4 years ago

反正我后来是放了了这个编辑器,换了别的。因为我们对安全要求很高,XSS自己也不行。

大哥,最后你换成了那个编辑器,能推荐下吗

https://www.npmjs.com/package/wangeditor

itDjango commented 4 years ago

I just intalled this editor, soon after...

  • When I run "npm audit" i get this message:

Screenshot from 2020-04-03 20-54-13

Visiting the npm advisory website I get this: Screenshot from 2020-04-03 20-57-35

Any updates? This is bad security practice...

So I gave up and recommend you my new one https://www.npmjs.com/package/wangeditor

maltegrosse commented 4 years ago

any updates?

High Cross-Site Scripting

Package mavon-editor

Patched in No patch available

Dependency of mavon-editor

Path mavon-editor

More info https://npmjs.com/advisories/1169

Kylelkh commented 4 years ago

可以考虑用xss插件进行转义

giladnavot commented 4 years ago

Any news regarding this variability?

pnutmath commented 3 years ago

<img onerror="alert(1)" src="a"> I tried pasting this in mavon-editor, seems its not accepting it. Not even allow to type it.

I think, this issue has been resolved in version 2.8.2

https://snyk.io/vuln/SNYK-JS-MAVONEDITOR-459108

check #548

jonathanpmartins commented 3 years ago

would be nice to have NPM stop showing this issue!

pnutmath commented 3 years ago

Already mailed to npm security advisories. @jonathanpmartins you can mail them again

ygj6 commented 3 years ago

This issue has been fixed, see Snyk Report To eliminate the npm audit warning, close this issue.

If you have any questions, you can comment.

itDjango commented 3 years ago

This issue has been fixed, see Snyk Report To eliminate the npm audit warning, close this issue.

If you have any questions, you can comment.

image

好像并没有解决... Doesn't seem to be resolved...

ygj6 commented 3 years ago

xss过滤默认不开启,如需开启,你可以在data中声明xssOptions选项,配置xss规则,并设置props;

例子仅供参考:

<template>
  <div id="editor">
    <mavon-editor v-model="aaa" style="height: 100%" :xssOptions="xssOptions"></mavon-editor>
  </div>
</template>
<script>
module.exports = {
  name: "editor",
  data() {
    return {
      aaa:"",
      xssOptions: {
        whiteList: {
          img: ["src", "alt", "width", "height"],
        },
        stripIgnoreTagBody: true
      }
    };
  },
  computed: {},
  methods: {}
};
</script>
<style>
#editor {
  margin: auto;
  width: 80%;
  height: 580px;
}
</style>
itDjango commented 3 years ago

xss过滤默认不开启,如需开启,你可以在data中声明xssOptions选项,配置xss规则,并设置props;

例子仅供参考:

<template>
  <div id="editor">
    <mavon-editor v-model="aaa" style="height: 100%" :xssOptions="xssOptions"></mavon-editor>
  </div>
</template>
<script>
module.exports = {
  name: "editor",
  data() {
    return {
      aaa:"",
      xssOptions: {
        whiteList: {
          img: ["src", "alt", "width", "height"],
        },
        stripIgnoreTagBody: true
      }
    };
  },
  computed: {},
  methods: {}
};
</script>
<style>
#editor {
  margin: auto;
  width: 80%;
  height: 580px;
}
</style>

谢谢解答 但是这样在编辑时看到的是转义后的字符,如果我想编辑时和预览时看到的是一样的怎么处理呢? image

ygj6 commented 3 years ago

你可以试试用代码块包起来,应该可以到达这种效果

itDjango commented 3 years ago

你可以试试用代码块包起来,应该可以到达这种效果

您可能误会我的意思了,我的意思是像github编辑器这样 输入 < > 时,看到的就是< >。 而不是 image

ygj6 commented 3 years ago

这看上去是xss开启带来的副作用,后面需要优化,当然我们也欢迎PR。