refactor(api): 📦 Change sanitizer from DOMPurify to xss

2026-03-13 22:09:16 +01:00 · 2024-05-02 17:20:24 -10:00 · 2024-05-02 17:20:24 -10:00 · 154f17ab12
commit 154f17ab12
parent a430db5c30
7 changed files with 99 additions and 52 deletions
--- a/server/api/api/v1/accounts/update_credentials/index.ts
+++ b/server/api/api/v1/accounts/update_credentials/index.ts
@ -1,6 +1,6 @@
 import { apiRoute, applyConfig } from "@api";
 import { errorResponse, jsonResponse } from "@response";
-import { sanitizeHtml } from "@sanitization";
+import { sanitizeHtml, sanitizedHtmlStrip } from "@sanitization";
 import { config } from "config-manager";
 import { and, eq } from "drizzle-orm";
 import ISO6391 from "iso-639-1";
@ -97,10 +97,9 @@ export default apiRoute<typeof meta, typeof schema>(

        const sanitizedNote = await sanitizeHtml(note ?? "");

-        const sanitizedDisplayName = await sanitizeHtml(display_name ?? "", {
-            ALLOWED_TAGS: [],
-            ALLOWED_ATTR: [],
-        });
+        const sanitizedDisplayName = await sanitizedHtmlStrip(
+            display_name ?? "",
+        );

        let mediaManager: MediaBackend;

--- a/server/api/api/v1/statuses/index.test.ts
+++ b/server/api/api/v1/statuses/index.test.ts
@ -361,4 +361,62 @@ describe(meta.route, () => {
            });
        });
    });
+
+    describe("HTML injection testing", () => {
+        test("should not allow HTML injection", async () => {
+            const response = await sendTestRequest(
+                new Request(new URL(meta.route, config.http.base_url), {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        Authorization: `Bearer ${tokens[0].accessToken}`,
+                    },
+                    body: JSON.stringify({
+                        status: "Hi! <script>alert('Hello, world!');</script>",
+                        federate: false,
+                    }),
+                }),
+            );
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toBe(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIStatus;
+
+            expect(object.content).toBe(
+                "<p>Hi! &lt;script&gt;alert('Hello, world!');&lt;/script&gt;</p>",
+            );
+        });
+
+        test("should not allow HTML injection in spoiler_text", async () => {
+            const response = await sendTestRequest(
+                new Request(new URL(meta.route, config.http.base_url), {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        Authorization: `Bearer ${tokens[0].accessToken}`,
+                    },
+                    body: JSON.stringify({
+                        status: "Hello, world!",
+                        spoiler_text:
+                            "uwu <script>alert('Hello, world!');</script>",
+                        federate: false,
+                    }),
+                }),
+            );
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toBe(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIStatus;
+
+            expect(object.spoiler_text).toBe(
+                "uwu &#x3C;script&#x3E;alert(&#x27;Hello, world!&#x27;);&#x3C;/script&#x3E;",
+            );
+        });
+    });
 });