Skip to content

Commit

Permalink
Merge pull request #1295 from UziTech/demo-xss
Browse files Browse the repository at this point in the history
use iframe to sandbox generated html
  • Loading branch information
styfle authored Jul 9, 2018
2 parents 1efe36b + d42f086 commit 9386fa9
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 5 deletions.
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ Our [documentation pages](https://marked.js.org) are also rendered using marked

**In-browser:** `npm install marked --save`

## Usage
## Usage

### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨

**CLI**

Expand Down Expand Up @@ -64,4 +66,3 @@ $ cat hello.html
## License

Copyright (c) 2011-2018, Christopher Jeffrey. (MIT License)

2 changes: 2 additions & 0 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ These documentation pages are also rendered using marked 💯

<h2 id="usage">Usage</h2>

### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨

**CLI**

``` bash
Expand Down
8 changes: 8 additions & 0 deletions docs/demo/demo.css
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,11 @@ header h1 {
flex-grow: 1;
flex-shrink: 1;
}

#preview {
display: flex;
}

#preview iframe {
flex-grow: 1;
}
15 changes: 12 additions & 3 deletions docs/demo/demo.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ if (!window.fetch) {

var $inputElem = document.querySelector('#input');
var $outputTypeElem = document.querySelector('#outputType');
var $previewElem = document.querySelector('#preview');
var $previewIframe = document.querySelector('#preview iframe');
var $permalinkElem = document.querySelector('#permalink');
var $clearElem = document.querySelector('#clear');
var $htmlElem = document.querySelector('#html');
Expand All @@ -20,6 +20,13 @@ var $activeElem = null;
var changeTimeout = null;
var search = searchToObject();

var iframeLoaded = false;
$previewIframe.addEventListener('load', function () {
iframeLoaded = true;
inputDirty = true;
checkForChanges();
})

if ('text' in search) {
$inputElem.value = search.text;
} else {
Expand Down Expand Up @@ -51,7 +58,7 @@ function handleChange() {
$panes[i].style.display = 'none';
}
$activeElem = document.querySelector('#' + $outputTypeElem.value);
$activeElem.style.display = 'block';
$activeElem.style.display = '';

updateLink();
};
Expand Down Expand Up @@ -155,7 +162,9 @@ function checkForChanges() {

var parsed = marked.parser(lexed);

$previewElem.innerHTML = (parsed);
if (iframeLoaded) {
$previewIframe.contentDocument.body.innerHTML = (parsed);
}
$htmlElem.value = (parsed);
$lexerElem.value = (lexedList.join('\n'));

Expand Down
1 change: 1 addition & 0 deletions docs/demo/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ <h1>Marked Demo</h1>
<noscript>
<h2>You'll need to enable Javascript to use this tool.</h2>
</noscript>
<iframe src="./preview.html" frameborder="0" sandbox="allow-same-origin"></iframe>
</div>

<textarea id="html" class="pane" readonly="readonly"></textarea>
Expand Down
12 changes: 12 additions & 0 deletions docs/demo/preview.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@

<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>marked.js preview</title>
<link rel="stylesheet" href="./demo.css" />
<base target="_parent">
</head>
<body>
</body>
</html>

0 comments on commit 9386fa9

Please sign in to comment.