Revert "enhance: PR394 Prevent XSS in FolderComponent and block ipcRenderer i…"

2026-05-27 00:14:22 +00:00 · 2025-09-29 09:49:43 +08:00 · 2025-09-29 09:49:43 +08:00 · 397da7398b
commit 397da7398b
parent b9297b8116
3 changed files with 9 additions and 52 deletions
--- a/electron/main/fileReader.ts
+++ b/electron/main/fileReader.ts
@ -445,7 +445,10 @@ export class FileReader {
 				if (type === 'md') {
 					const content = fs.readFileSync(filePath, 'utf-8')
 					resolve(content)
-				} else if (type === 'html') {
+				} else if (isShowSourceCode && type === 'html') {
+					const content = fs.readFileSync(filePath, 'utf-8')
+					resolve(content)
+				}else if (type === 'html') {
 					const content = fs.readFileSync(filePath, 'utf-8')
 					resolve(content)
 				} else if (["pdf"].includes(type)) {
--- a/package.json
+++ b/package.json
@ -93,7 +93,6 @@
    "@testing-library/react": "^16.3.0",
    "@testing-library/user-event": "^14.6.1",
    "@types/archiver": "^6.0.3",
-    "@types/dompurify": "^3.0.5",
    "@types/lodash-es": "^4.17.12",
    "@types/papaparse": "^5.3.16",
    "@types/react": "^18.3.12",
--- a/src/components/Folder/FolderComponent.tsx
+++ b/src/components/Folder/FolderComponent.tsx
@ -11,28 +11,11 @@ export default function FolderComponent({ selectedFile }: Props) {
 	const sanitizedHtml = useMemo(() => {
 		const raw = selectedFile?.content || "";
 		if (!raw) return "";
-
-		// Strict dangerous content detection to prevent various bypass techniques
-		const dangerousPatterns = [
-			/ipcRenderer/gi,
-			/window\s*\[\s*['"`]ipcRenderer['"`]\s*\]/gi,
-			/parent\s*\.\s*ipcRenderer/gi,
-			/top\s*\.\s*ipcRenderer/gi,
-			/frames\s*\[\s*\d+\s*\]\s*\.\s*ipcRenderer/gi,
-			/require\s*\(\s*['"`]electron['"`]\s*\)/gi,
-			/process\s*\.\s*versions\s*\.\s*electron/gi,
-			/nodeIntegration/gi,
-			/webSecurity/gi,
-			/contextIsolation/gi,
-		];
-
-		for (const pattern of dangerousPatterns) {
-			if (pattern.test(raw)) {
-				console.warn("Detected forbidden content:", pattern);
-				return "";
-			}
+		// 如果内容包含 ipcRenderer，直接返回空字符串
+		if (raw.includes("ipcRenderer")) {
+			console.warn("Detected forbidden content: ipcRenderer");
+			return "";
 		}
-
 		return DOMPurify.sanitize(raw, {
 			USE_PROFILES: { html: true },
 			ALLOWED_TAGS: [
@ -58,12 +41,6 @@ export default function FolderComponent({ selectedFile }: Props) {
 				"th",
 				"pre",
 				"code",
-				"h1",
-				"h2",
-				"h3",
-				"h4",
-				"h5",
-				"h6",
 			],
 			ALLOWED_ATTR: [
 				"href",
@ -76,30 +53,8 @@ export default function FolderComponent({ selectedFile }: Props) {
 				"rel",
 				"colspan",
 				"rowspan",
-				"class",
-				"id",
 			],
-			FORBID_ATTR: [
-				"onerror",
-				"onload",
-				"onclick",
-				"onmouseover",
-				"onfocus",
-				"onblur",
-				"onchange",
-				"onsubmit",
-				"onreset",
-				"onselect",
-				"onabort",
-				"onkeydown",
-				"onkeypress",
-				"onkeyup",
-				"onunload",
-			],
-			FORBID_TAGS: ["script", "iframe", "object", "embed", "form", "input", "button"],
-			ADD_ATTR: ["target"],
-			SANITIZE_DOM: true,
-			KEEP_CONTENT: false,
+			FORBID_ATTR: ["onerror", "onload"],
 		});
 	}, [selectedFile?.content]);