From 8b90e1d093d48725e38d80d40e807d26712c42ea Mon Sep 17 00:00:00 2001
From: btea <2356281422@qq.com>
Date: Tue, 30 Mar 2021 11:43:56 +0800
Subject: [PATCH] edit: filter xss

---
 src/controllers/updateCell.js |  2 +-
 src/global/formula.js         | 12 ++++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/controllers/updateCell.js b/src/controllers/updateCell.js
index 26e7bfd..d120db4 100644
--- a/src/controllers/updateCell.js
+++ b/src/controllers/updateCell.js
@@ -213,7 +213,7 @@ export function luckysheetupdateCell(row_index1, col_index1, d, cover, isnotfocu
     if((value == null || value.toString() == "") && !cover){
         value = "<br/>";
     }
-    
+    value = formula.xssDeal(value);
     if(!checkProtectionCellHidden(row_index, col_index, Store.currentSheetIndex) && value.length>0 && value.substr(0, 63)=='<span dir="auto" class="luckysheet-formula-text-color">=</span>'){
         $("#luckysheet-rich-text-editor").html("");
     }
diff --git a/src/global/formula.js b/src/global/formula.js
index 4d2c5ea..f38efe2 100644
--- a/src/global/formula.js
+++ b/src/global/formula.js
@@ -321,6 +321,10 @@ const luckysheetformula = {
             sheetmanage.changeSheetExec(_this.rangetosheet);
         }
     },
+    xssDeal: function(str) {
+        if (typeof str !== 'string') return str;
+        return str.replace(/<script>/g, '&lt;script&gt;').replace(/<\/script>/, '&lt;/script&gt;');
+    },
     fucntionboxshow: function(r, c) {
 
         if(!checkProtectionCellHidden(r, c, Store.currentSheetIndex)){
@@ -346,7 +350,7 @@ const luckysheetformula = {
                 value = valueShowEs(r, c, d);
             }
         }
-
+        value = this.xssDeal(value);
         _this.oldvalue = value;
         $("#luckysheet-functionbox-cell").html(value);
     },
@@ -3313,11 +3317,11 @@ const luckysheetformula = {
             $editer = $input;
         let value1 = $editer.html(),
             value1txt = $editer.text();
-
+        let xssDeal = this.xssDeal
         setTimeout(function() {
             let value = $editer.text(),
                 valuetxt = value;
-
+            value = xssDeal(value);
             if (value.length > 0 && value.substr(0, 1) == "=" && (kcode != 229 || value.length == 1)) {
                 value = _this.functionHTMLGenerate(value);
                 value1 = _this.functionHTMLGenerate(value1txt);
@@ -5464,4 +5468,4 @@ const luckysheetformula = {
     data_parm_index: 0  //选择公式后参数索引标记
 }
 
-export default luckysheetformula;
\ No newline at end of file
+export default luckysheetformula;