Merge branch 'fix-xss' of https://github.com/btea/Luckysheet into btea-fix-xss

4 years ago · af9beabfed
2 changed files with 11 additions and 7 deletions
--- a/src/controllers/updateCell.js
+++ b/src/controllers/updateCell.js
@ -217,7 +217,7 @@ export function luckysheetupdateCell(row_index1, col_index1, d, cover, isnotfocu
    if((value == null || value.toString() == "") && !cover){
        value = "<br/>";
    }
-    
+    value = formula.xssDeal(value);
    if(!checkProtectionCellHidden(row_index, col_index, Store.currentSheetIndex) && value.length>0 && value.substr(0, 63)=='<span dir="auto" class="luckysheet-formula-text-color">=</span>'){
        $("#luckysheet-rich-text-editor").html("");
    }
--- a/src/global/formula.js
+++ b/src/global/formula.js
@ -321,6 +321,10 @@ const luckysheetformula = {
            sheetmanage.changeSheetExec(_this.rangetosheet);
        }
    },
+    xssDeal: function(str) {
+        if (typeof str !== 'string') return str;
+        return str.replace(/<script>/g, '&lt;script&gt;').replace(/<\/script>/, '&lt;/script&gt;');
+    },
    fucntionboxshow: function(r, c) {

        if (!checkProtectionCellHidden(r, c, Store.currentSheetIndex)) {
@ -346,7 +350,7 @@ const luckysheetformula = {
                value = valueShowEs(r, c, d);
            }
        }
-
+        value = this.xssDeal(value);
        _this.oldvalue = value;
        $("#luckysheet-functionbox-cell").html(value);
    },
@ -3331,11 +3335,11 @@ const luckysheetformula = {
            $editer = $input;
        let value1 = $editer.html(),
            value1txt = $editer.text();
-
+        let xssDeal = this.xssDeal
        setTimeout(function() {
            let value = $editer.text(),
                valuetxt = value;
-
+            value = xssDeal(value);
            if (value.length > 0 && value.substr(0, 1) == "=" && (kcode != 229 || value.length == 1)) {
                value = _this.functionHTMLGenerate(value);
                value1 = _this.functionHTMLGenerate(value1txt);