@json-editor/json-editor 2.15.3 → 2.16.0

package/package.json

@@ -2,7 +2,7 @@
   "name": "@json-editor/json-editor",
   "title": "JSONEditor",
   "description": "JSON Schema based editor",
-  "version": "2.15.3",
+  "version": "2.16.0",
   "main": "dist/jsoneditor.js",
   "author": {
     "name": "Jeremy Dorn",

package/src/editor.js

@@ -521,6 +521,20 @@ export class AbstractEditor {
     }
   }
 
+  purify (val) {
+    if (typeof val !== 'string') {
+      return val
+    }
+
+    if (window.DOMPurify) {
+      val = window.DOMPurify.sanitize(val)
+    } else {
+      val = this.cleanText(val)
+    }
+
+    return val
+  }
+
   getHeaderText (titleOnly) {
     if (this.header_text) return this.header_text
     else if (titleOnly) return this.translateProperty(this.schema.title)

package/src/editors/hidden.js

@@ -84,6 +84,7 @@ export class HiddenEditor extends AbstractEditor {
    * This is overridden in derivative editors
    */
   sanitize (value) {
+    value = this.purify(value)
     return value
   }
 

package/src/editors/multiselect.js

@@ -178,6 +178,7 @@ export class MultiSelectEditor extends AbstractEditor {
   }
 
   sanitize (value) {
+    value = this.purify(value)
     if (this.schema.items.type === 'boolean') return !!value
     else if (this.schema.items.type === 'number') return 1 * value || 0
     else if (this.schema.items.type === 'integer') return Math.floor(value * 1 || 0)

package/src/editors/string.js

@@ -18,6 +18,7 @@ export class StringEditor extends AbstractEditor {
   }
 
   setValue (value, initial, fromTemplate) {
+    value = this.purify(value)
     value = this.applyConstFilter(value)
 
     if (this.template && !fromTemplate) return
@@ -362,6 +363,7 @@ export class StringEditor extends AbstractEditor {
    * This is overridden in derivative editors
    */
   sanitize (value) {
+    value = this.purify(value)
     return value
   }
 

package/src/editors/uuid.js

@@ -26,6 +26,7 @@ export class UuidEditor extends StringEditor {
   }
 
   sanitize (value) {
+    value = this.purify(value)
     if (!this.testUuid(value)) value = this.uuid
     return value
   }

package/tests/codeceptjs/editors/purify_test.js

@@ -0,0 +1,26 @@
+/* global Feature Scenario */
+
+Feature('purify')
+
+Scenario('Should @purify @optional XSS from direct input', async ({ I }) => {
+  I.amOnPage('purify.html')
+  I.waitForElement('[name="root[string]"]')
+  I.fillField('[name="root[string]"]', 'bla</script><script>alert(1)</script>')
+  I.pressKey('Tab')
+  I.wait(1)
+  I.click('.get-value')
+  I.wait(1)
+  I.waitForValue('#value', '{"string":"bla"}')
+})
+
+Scenario('Should @purify @optional XSS from setValue() via textarea', async ({ I }) => {
+  I.amOnPage('purify.html')
+  I.waitForElement('#value')
+  I.fillField('#value', 'bla</script><script>alert(1)</script>')
+  I.pressKey('Tab')
+  I.click('.set-value')
+  I.wait(2)
+  I.click('.get-value')
+  I.wait(1)
+  I.waitForValue('#value', '{"string":"bla"}')
+})

package/tests/docker-compose-local.yml

@@ -0,0 +1,5 @@
+services:
+  chrome:
+    image: seleniarm/standalone-chromium
+  firefox:
+    image: seleniarm/standalone-firefox

package/tests/pages/purify.html

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8"/>
+  <title>Purify</title>
+  <script src="https://cdn.jsdelivr.net/npm/dompurify@3.3.1/dist/purify.min.js"></script>
+  <script src="../../dist/jsoneditor.js"></script>
+  <link rel="stylesheet" id="theme-link" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css">
+  <link rel="stylesheet" id="iconlib-link" href="https://use.fontawesome.com/releases/v5.6.1/css/all.css">
+</head>
+<body>
+
+<div class="container">
+  <div id='editor-container'></div>
+  <label for="value">Value</label>
+  <textarea id="value" class="form-control value" rows="10"></textarea>
+  <button class="get-value btn btn-primary">Get Value</button>
+  <button class="set-value btn btn-secondary">Set Value</button>
+</div>
+
+<script>
+  const editorContainer = document.querySelector('#editor-container')
+  const value = document.querySelector('#value');
+  const schema = {
+    "type": "object",
+    "title": "Purify",
+    "properties": {
+      "string": {
+        "title": "string (StringEditor)",
+        "type": "string"
+      }
+    }
+  }
+
+  const editor = new JSONEditor(editorContainer, {
+    schema: schema,
+    theme: 'bootstrap4',
+    iconlib: 'fontawesome',
+    disable_properties: true,
+    disable_collapse: true,
+    disable_edit_json: true,
+  })
+
+  const getValueBtn = document.querySelector('.get-value')
+  const setValueBtn = document.querySelector('.set-value')
+
+  editor.on('change', function () {
+    value.value = JSON.stringify(editor.getValue())
+  })
+
+  getValueBtn.addEventListener('click', function () {
+    value.value = JSON.stringify(editor.getValue())
+  })
+
+  setValueBtn.addEventListener('click', function () {
+    try {
+      editor.setValue(JSON.parse(value.value))
+    } catch (e) {
+      editor.setValue({ string: value.value })
+    }
+  })
+</script>
+
+</body>
+</html>
+