From 9af3628a21659275e51d3a12ea369edcb36e907d Mon Sep 17 00:00:00 2001 From: ajaxzheng <894103554@qq.com> Date: Tue, 18 Mar 2025 17:21:46 +0800 Subject: [PATCH 1/4] docs: add XSS whitelist configuration FAQ --- examples/sites/demos/pc/webdoc/faq.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/examples/sites/demos/pc/webdoc/faq.md b/examples/sites/demos/pc/webdoc/faq.md index 5d55b4ad5f..4caaf12dc2 100644 --- a/examples/sites/demos/pc/webdoc/faq.md +++ b/examples/sites/demos/pc/webdoc/faq.md @@ -85,3 +85,28 @@ module.exports = { transpileDependencies: ['@opentiny/fluent-editor', 'quill'] } ``` + +## 4、通过 `@opentiny/utils` 配置 `xss` 白名单(v3.21.0 开始支持) + +目前进行严格的过滤,建议使用 `JS-XSS` 进行处理。对不符合要求的代码片段做删除处理,若开发者在开发期间有其他 `HTML` 标签确认安全(富文本场景)的需求场景,由开发者手动配置 `xss` 白名单。 + +使用 `@opentiny/utils` 中的 `setXssOption` 方法传入自定义的 `xss` 白名单,示例: + +```js +import { xss } from '@opentiny/utils' + +const options = { + enableAttrs: true, + enableHtml: true, + enableUrl: true, + + html: { + whiteList: { + a: ['class', 'style', 'contenteditable', 'data-id', 'data-title', 'data-size', 'href', 'data-last-modified'], + img: ['class', 'style', 'devui-editorx-image', 'style', 'data-image-id', 'src'] + } + } +} + +xss.setXssOption(options) +``` From 8d50b9b6ef37a311a278c8ff40dc46fc60627753 Mon Sep 17 00:00:00 2001 From: ajaxzheng <894103554@qq.com> Date: Tue, 18 Mar 2025 17:22:19 +0800 Subject: [PATCH 2/4] docs: add XSS whitelist configuration FAQ --- examples/sites/demos/pc/webdoc/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/sites/demos/pc/webdoc/faq.md b/examples/sites/demos/pc/webdoc/faq.md index 4caaf12dc2..2efdca660f 100644 --- a/examples/sites/demos/pc/webdoc/faq.md +++ b/examples/sites/demos/pc/webdoc/faq.md @@ -86,7 +86,7 @@ module.exports = { } ``` -## 4、通过 `@opentiny/utils` 配置 `xss` 白名单(v3.21.0 开始支持) +## 5、通过 `@opentiny/utils` 配置 `xss` 白名单(v3.21.0 开始支持) 目前进行严格的过滤,建议使用 `JS-XSS` 进行处理。对不符合要求的代码片段做删除处理,若开发者在开发期间有其他 `HTML` 标签确认安全(富文本场景)的需求场景,由开发者手动配置 `xss` 白名单。 From 470b503dafe1985f5894193eb94e343483a54424 Mon Sep 17 00:00:00 2001 From: ajaxzheng <894103554@qq.com> Date: Tue, 18 Mar 2025 17:29:04 +0800 Subject: [PATCH 3/4] =?UTF-8?q?docs:=20=E4=BC=98=E5=8C=96img=E7=99=BD?= =?UTF-8?q?=E5=90=8D=E5=8D=95=E5=88=AB=E8=A1=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/sites/demos/pc/webdoc/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/sites/demos/pc/webdoc/faq.md b/examples/sites/demos/pc/webdoc/faq.md index 2efdca660f..9d4c1534d4 100644 --- a/examples/sites/demos/pc/webdoc/faq.md +++ b/examples/sites/demos/pc/webdoc/faq.md @@ -103,7 +103,7 @@ const options = { html: { whiteList: { a: ['class', 'style', 'contenteditable', 'data-id', 'data-title', 'data-size', 'href', 'data-last-modified'], - img: ['class', 'style', 'devui-editorx-image', 'style', 'data-image-id', 'src'] + img: ['class', 'style', 'style', 'data-image-id', 'src'] } } } From 35e2917a7ba89d5555275911a5102c3a0a366ba8 Mon Sep 17 00:00:00 2001 From: ajaxzheng <894103554@qq.com> Date: Wed, 19 Mar 2025 10:52:24 +0800 Subject: [PATCH 4/4] =?UTF-8?q?docs:=20=E6=9B=B4=E6=96=B0img=E7=99=BD?= =?UTF-8?q?=E5=90=8D=E5=8D=95=EF=BC=8C=E7=A7=BB=E9=99=A4=E9=87=8D=E5=A4=8D?= =?UTF-8?q?=E7=9A=84style=E5=B1=9E=E6=80=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/sites/demos/pc/webdoc/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/sites/demos/pc/webdoc/faq.md b/examples/sites/demos/pc/webdoc/faq.md index 9d4c1534d4..0feb68fd92 100644 --- a/examples/sites/demos/pc/webdoc/faq.md +++ b/examples/sites/demos/pc/webdoc/faq.md @@ -103,7 +103,7 @@ const options = { html: { whiteList: { a: ['class', 'style', 'contenteditable', 'data-id', 'data-title', 'data-size', 'href', 'data-last-modified'], - img: ['class', 'style', 'style', 'data-image-id', 'src'] + img: ['class', 'style', 'src'] } } }