#29 fix xss vulnerable

ondratu · May 23, 2021 · a357422 · a357422
1 parent 44ea00f
commit a357422
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/formiko/renderer.py b/formiko/renderer.py
@@ -237,8 +237,12 @@ def __init__(self, win, parser='rst', writer='html4', style=''):
         self.webview.connect("mouse-target-changed", self.on_mouse)
         self.webview.connect("context-menu", self.on_context_menu)
         self.webview.connect("button-release-event", self.on_button_release)
+        self.webview.connect("load-changed", self.on_load_changed)
         self.add(self.webview)
 
+        settings = self.webview.get_settings()
+        settings.set_enable_javascript_markup(False)  # XSS Fix
+
         controller = self.webview.get_find_controller()
         self.search_done = None
         controller.connect("found-text", self.on_found_text)
@@ -415,6 +419,7 @@ def render_output(self):
 
     def do_render(self):
         state, html, mime_type = self.render_output()
+        """
         if state:
             if self.pos > 1:     # vim
                 a, b = len(self.src[:self.pos]), len(self.src[self.pos:])
@@ -423,10 +428,15 @@ def do_render(self):
                 position = self.pos
 
             html += SCROLL % position
+        """
         if html and self.__win.runing:
             file_name = self.file_name or get_home_dir()
             self.webview.load_bytes(Bytes(html.encode("utf-8")),
                                     mime_type, "UTF-8", "file://"+file_name)
+        if state:
+            self.scroll_to_position(self.pos)
+        else:
+            print("no scroll")
 
     def render(self, src, file_name, pos=0):
         self.src = src
@@ -489,4 +499,8 @@ def scroll_to_position(self, position):
         else:
             position = self.pos
 
+        print('position', position)
         self.webview.run_javascript(JS_SCROLL % position, None, None, None)
+
+    def on_load_changed(self, webview, event):
+        print('load-changed event:', event)
diff --git a/formiko/window.py b/formiko/window.py
@@ -266,6 +266,7 @@ def on_file_type(self, widget, ext):
         self.pref_menu.set_parser(parser)
 
     def on_scroll_changed(self, widget, position):
+        print("on scroll changed position: ", position)
         if self.preferences.auto_scroll:
             self.renderer.scroll_to_position(position)