Skip to content

Commit

Permalink
Content injection demo
Browse files Browse the repository at this point in the history 
Updated content injection demo and added onerror in allowed attributes
for DOMPurify
  • Loading branch information
@hackvertor
hackvertor committed Sep 12, 2016
1 parent 69690bb commit 3f32c76
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 6 deletions.
4 changes: 2 additions & 2 deletions MentalJS.html
View file
Expand Up @@ -131,7 +131,7 @@
parseInnerHTML : function(dirty) {
var config = {
ADD_TAGS: ['script'],
ADD_ATTR: ['onclick', 'onmouseover']
ADD_ATTR: ['onclick', 'onmouseover','onerror']
};
DOMPurify.addHook('uponSanitizeElement', function(node, data) {
if (data.tagName === 'script') {
Expand All @@ -157,7 +157,7 @@
return node.parentNode.removeChild(node);
}
}
});
});
DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
if (data.attrName.match(/^on\w+/)) {
var script = data.attrValue;
Expand Down
55 changes: 54 additions & 1 deletion scripts/content_injection.js
View file
@@ -1,6 +1,59 @@
window.addEventListener('DOMContentLoaded', function() {
var html = document.getElementById('MentalRender').textContent, js=MentalJS();
js.init({dom:true});
js.init({
dom:true,
parseInnerHTML : function(dirty) {
var config = {
ADD_TAGS: ['script'],
ADD_ATTR: ['onclick', 'onmouseover','onerror']
};
DOMPurify.addHook('uponSanitizeElement', function(node, data) {
if (data.tagName === 'script') {
var script = node.textContent;
if (!script || 'src' in node.attributes
|| 'href' in node.attributes
|| 'xlink:href' in node.attributes) {
return node.parentNode.removeChild(node)
}
try {
// Pass scripts to MentalJS
var mental = MentalJS().parse(
{
options: {
eval: false,
dom:true
},
code:script
}
);
return node.textContent = mental;
} catch (e) {
return node.parentNode.removeChild(node);
}
}
});
DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
if (data.attrName.match(/^on\w+/)) {
var script = data.attrValue;
try {
// Pass scripts to MentalJS
return data.attrValue = MentalJS().parse(
{
options: {
eval: false,
dom: true
},
code: script
}
);
} catch (e) {
return data.attrValue = '';
}
}
});
return DOMPurify.sanitize(dirty, config);
}
});
js.parse({options:{eval:true},code:'this.sandboxedFunction=function(str){document.body.innerHTML=str}'});
this.sandboxedFunction$(html);
}, false);
7 changes: 4 additions & 3 deletions scripts/content_injection.php
View file
Expand Up @@ -3,12 +3,13 @@
<head>
<meta charset="UTF-8" />
<title>Content injection demo</title>
<script src="../javascript/purify.js"></script>
<script src="../javascript/Mental.js"></script>
<script src="content_injection.js"></script>
</head>
<body>
<plaintext id="MentalRender" />
<body>
<plaintext id="MentalRender" />
<h1>Content Injection demo</h1>
<?php echo $_GET['x']?>
</body>
</html>
</html>

0 comments on commit 3f32c76

Please sign in to comment.