Merge pull request #50 from GlobalDataverseCommunityConsortium/sanitize_description

sanitize description

Author: qqmyers

previewers/AudioPreview.html

@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/audio.js"></script>
 <script src="lib/jquery.i18n.js"></script>
 <script src="lib/jquery.i18n.messagestore.js"></script>

previewers/ImagePreview.html

@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/image.js"></script>
 <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery-zoom/1.7.21/jquery.zoom.min.js"></script>
 <script src="lib/jquery.i18n.js"></script>

previewers/PDFPreview.html

@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/pdfpreview.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/pdf.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/pdf.worker.js"></script>

previewers/SpreadsheetPreview.html

@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script src="https://cdn.jsdelivr.net/handsontable/0.28.4/handsontable.full.min.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/papaparse@5"></script>
 

previewers/VideoPreview.html

@@ -2,7 +2,7 @@
 <head>
 <meta charset="utf-8">
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
-
+<script type="text/javascript" src="/dataverse-previewers/previewers/js/xss.js"></script>
 <script type="text/javascript" src="/dataverse-previewers/previewers/js/video.js"></script>
 <script src="lib/jquery.i18n.js"></script>
 <script src="lib/jquery.i18n.messagestore.js"></script>

previewers/js/retriever.js

@@ -138,6 +138,8 @@ function addStandardPreviewHeader(file, title, authors) {
   $('body').append($('<div/>').html(footer).attr('id','footer'));
 
 	if (previewMode !== 'true') {
+		
+    options = {"stripIgnoreTag":true, "stripIgnoreTagBody":['script','head']};  // Custom rules
 	  //Translated text used in the preview header
 
     var filenameText = $.i18n( "filenameText" );
@@ -161,7 +163,7 @@ function addStandardPreviewHeader(file, title, authors) {
 			$('<a/>').attr('href', filePageUrl).text(file.filename)).attr('id',
 			'filename'));
 	  if ((file.description != null) && (file.description.length > 0)) {
-		  header.append($('<div/>').html("<span>" + descriptionText + "</span>" + file.description));
+		  header.append($('<div/>').html(filterXSS("<span>" + descriptionText + "</span>" + file.description), options));
 	  }
 	  header.append($('<div/>').append($("<span/>").text(inText)).append(
 			$('<span/>').attr('id', 'dataset').append(