sanitize description

GlobalDataverseCommunityConsortium · Dec 7, 2020 · 84d2c0e · 84d2c0e
1 parent a0fcdf2
commit 84d2c0e
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 6 deletions.
diff --git a/previewers/AudioPreview.html b/previewers/AudioPreview.html
@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/audio.js"></script>
 <script src="lib/jquery.i18n.js"></script>
 <script src="lib/jquery.i18n.messagestore.js"></script>

diff --git a/previewers/ImagePreview.html b/previewers/ImagePreview.html
@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/image.js"></script>
 <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery-zoom/1.7.21/jquery.zoom.min.js"></script>
 <script src="lib/jquery.i18n.js"></script>

diff --git a/previewers/PDFPreview.html b/previewers/PDFPreview.html
@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/pdfpreview.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/pdf.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/pdf.worker.js"></script>

diff --git a/previewers/SpreadsheetPreview.html b/previewers/SpreadsheetPreview.html
@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script src="https://cdn.jsdelivr.net/handsontable/0.28.4/handsontable.full.min.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/papaparse@5"></script>
 

diff --git a/previewers/VideoPreview.html b/previewers/VideoPreview.html
@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/video.js"></script>
 <script src="lib/jquery.i18n.js"></script>
 <script src="lib/jquery.i18n.messagestore.js"></script>

diff --git a/previewers/js/retriever.js b/previewers/js/retriever.js
@@ -138,6 +138,8 @@ function addStandardPreviewHeader(file, title, authors) {
   $('body').append($('<div/>').html(footer).attr('id','footer'));
 
 	if (previewMode !== 'true') {
+
+    options = {"stripIgnoreTag":true, "stripIgnoreTagBody":['script','head']};  // Custom rules
 	  //Translated text used in the preview header
 
     var filenameText = $.i18n( "filenameText" );
@@ -161,7 +163,7 @@ function addStandardPreviewHeader(file, title, authors) {
 			$('<a/>').attr('href', filePageUrl).text(file.filename)).attr('id',
 			'filename'));
 	  if ((file.description != null) && (file.description.length > 0)) {
-		  header.append($('<div/>').html("<span>" + descriptionText + "</span>" + file.description));
+		  header.append($('<div/>').html(filterXSS("<span>" + descriptionText + "</span>" + file.description), options));
 	  }
 	  header.append($('<div/>').append($("<span/>").text(inText)).append(
 			$('<span/>').attr('id', 'dataset').append(