From a3574229779ac39bcf91c77c280042bd2c1336c6 Mon Sep 17 00:00:00 2001
From: Ondrej Tuma <mcbig@zeropage.cz>
Date: Sun, 23 May 2021 11:00:25 +0200
Subject: [PATCH] #29 fix xss vulnerable

---
 formiko/renderer.py | 14 ++++++++++++++
 formiko/window.py   |  1 +
 2 files changed, 15 insertions(+)

diff --git a/formiko/renderer.py b/formiko/renderer.py
index adb74a7..171ceac 100644
--- a/formiko/renderer.py
+++ b/formiko/renderer.py
@@ -237,8 +237,12 @@ def __init__(self, win, parser='rst', writer='html4', style=''):
         self.webview.connect("mouse-target-changed", self.on_mouse)
         self.webview.connect("context-menu", self.on_context_menu)
         self.webview.connect("button-release-event", self.on_button_release)
+        self.webview.connect("load-changed", self.on_load_changed)
         self.add(self.webview)
 
+        settings = self.webview.get_settings()
+        settings.set_enable_javascript_markup(False)  # XSS Fix
+
         controller = self.webview.get_find_controller()
         self.search_done = None
         controller.connect("found-text", self.on_found_text)
@@ -415,6 +419,7 @@ def render_output(self):
 
     def do_render(self):
         state, html, mime_type = self.render_output()
+        """
         if state:
             if self.pos > 1:     # vim
                 a, b = len(self.src[:self.pos]), len(self.src[self.pos:])
@@ -423,10 +428,15 @@ def do_render(self):
                 position = self.pos
 
             html += SCROLL % position
+        """
         if html and self.__win.runing:
             file_name = self.file_name or get_home_dir()
             self.webview.load_bytes(Bytes(html.encode("utf-8")),
                                     mime_type, "UTF-8", "file://"+file_name)
+        if state:
+            self.scroll_to_position(self.pos)
+        else:
+            print("no scroll")
 
     def render(self, src, file_name, pos=0):
         self.src = src
@@ -489,4 +499,8 @@ def scroll_to_position(self, position):
         else:
             position = self.pos
 
+        print('position', position)
         self.webview.run_javascript(JS_SCROLL % position, None, None, None)
+
+    def on_load_changed(self, webview, event):
+        print('load-changed event:', event)
diff --git a/formiko/window.py b/formiko/window.py
index 5fdb2c9..f728e28 100644
--- a/formiko/window.py
+++ b/formiko/window.py
@@ -266,6 +266,7 @@ def on_file_type(self, widget, ext):
         self.pref_menu.set_parser(parser)
 
     def on_scroll_changed(self, widget, position):
+        print("on scroll changed position: ", position)
         if self.preferences.auto_scroll:
             self.renderer.scroll_to_position(position)