Skip to content

Commit

Permalink
skip empty srcs for safe iframe srcs (#3216)
Browse files Browse the repository at this point in the history
* skip empty srcs for safe iframe srcs

Fixes #3215

* feedbacked
  • Loading branch information
peterbe authored Mar 12, 2021
1 parent 6cbc6a0 commit 18ef258
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 7 deletions.
24 changes: 19 additions & 5 deletions build/flaws.js
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,15 @@ function injectFlaws(doc, $, options, document) {
doc.flaws[flawName] &&
doc.flaws[flawName].length > 0
) {
throw new Error(
`${flawName} flaws: ${doc.flaws[flawName].map((f) => f.explanation)}`
);
// To make the stdout output a bit more user-friendly, print one warning
// for each explanation
doc.flaws[flawName].forEach((flaw, i) => {
console.warn(
i + 1,
chalk.yellow(`${chalk.bold(flawName)} flaw: ${flaw.explanation}`)
);
});
throw new Error(`${doc.flaws[flawName].length} ${flawName} flaws`);
}
}
}
Expand Down Expand Up @@ -103,8 +109,6 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
}

const safeIFrameSrcs = [
LIVE_SAMPLES_BASE_URL.toLowerCase(),
INTERACTIVE_EXAMPLES_BASE_URL.toLowerCase(),
// EmbedGHLiveSample.ejs
"https://mdn.github.io",
// EmbedYouTube.ejs
Expand All @@ -114,12 +118,22 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
// EmbedTest262ReportResultsTable.ejs
"https://test262.report",
];
if (LIVE_SAMPLES_BASE_URL) {
safeIFrameSrcs.push(LIVE_SAMPLES_BASE_URL.toLowerCase());
}
if (INTERACTIVE_EXAMPLES_BASE_URL) {
safeIFrameSrcs.push(INTERACTIVE_EXAMPLES_BASE_URL.toLowerCase());
}

$("script, embed, object, iframe").each((i, element) => {
const { tagName } = element;
if (tagName === "iframe") {
// For iframes we only check the 'src' value
const src = $(element).attr("src");
// Local URLs are always safe.
if (!(src.startsWith("//") || src.includes("://"))) {
return;
}
if (!safeIFrameSrcs.find((s) => src.toLowerCase().startsWith(s))) {
addFlaw(element, `Unsafe <iframe> 'src' value (${src})`);
}
Expand Down
2 changes: 2 additions & 0 deletions testing/content/files/en-us/web/unsafe_html/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@

<iframe src="https://www.peterbe.com/"></iframe>

<iframe src="//evil.com/"></iframe>

<p>Here's a link that contains the string <code>:JavaScript</code> within the <code>href</code>
attribute:<br>
<a href="https://wiki.mozilla.org/JavaScript:New_to_SpiderMonkey">
Expand Down
4 changes: 2 additions & 2 deletions testing/tests/index.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -1292,10 +1292,10 @@ test("unsafe HTML gets flagged as flaws and replace with its raw HTML", () => {

const jsonFile = path.join(builtFolder, "index.json");
const { doc } = JSON.parse(fs.readFileSync(jsonFile));
expect(doc.flaws.unsafe_html.length).toBe(5);
expect(doc.flaws.unsafe_html.length).toBe(6);

const htmlFile = path.join(builtFolder, "index.html");
const html = fs.readFileSync(htmlFile, "utf-8");
const $ = cheerio.load(html);
expect($("code.unsafe-html").length).toBe(5);
expect($("code.unsafe-html").length).toBe(6);
});

0 comments on commit 18ef258

Please sign in to comment.