Dan Brown
492af79c27
Added a couple of additional CSP rules
...
As per guidance from google's CSP evaluator.
2021-09-04 14:34:43 +01:00
Dan Brown
253f386f00
Finished off script CSP rules
...
- Added caching for custom html head parsing to add nonce.
- Also moved api docs page into web routes to prevent issues.
2021-09-04 13:57:04 +01:00
Dan Brown
fd44e4ba74
Started application of CSP headers
2021-09-03 23:32:42 +01:00
Dan Brown
040997fdc4
Added filter for xlink:href svg xss
...
Simply remove all such attributes
2021-09-03 22:34:49 +01:00
Dan Brown
5e6092aaf8
Added extra HTML filtering of dangerous content
...
In particular, That around the casing of dangerous values within
attributes. This uses some xpath translation to handle different casing
in contains searching.
2021-09-02 22:02:30 +01:00
Dan Brown
934a833818
Apply fixes from StyleCI
2021-06-26 15:23:15 +00:00
Dan Brown
b5caaa73b7
Fixed content parsing break with line html comment
...
Fixes issues thrown in custom HMTL head & page content filtering when
the content is comprised of only a single HTML comment.
Adds tests to cover.
For #2804
2021-06-13 12:53:04 +01:00
Dan Brown
43b6633183
Filtered scripts in custom HTML head for exports
...
Since it appeared to cause problems in some scenarios.
Related to #2490
2021-05-03 23:59:52 +01:00