versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2025-12-06 16:38:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(api): Reimplement HTML sanitization

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-05-02 13:25:32 -10:00
parent cac726ac1b
commit febddc2a8b
No known key found for this signature in database
4 changed files with 123 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
bun.lockb
View file

Binary file not shown.

3
package.json
View file

@ -77,8 +77,10 @@
"cli-parser": "workspace:*", "cli-parser": "workspace:*",
"cli-table": "^0.3.11", "cli-table": "^0.3.11",
"config-manager": "workspace:*", "config-manager": "workspace:*",
"dompurify": "^3.1.2",
"drizzle-orm": "^0.30.7", "drizzle-orm": "^0.30.7",
"extract-zip": "^2.0.1", "extract-zip": "^2.0.1",
"happy-dom": "14.5.0",
"html-to-text": "^9.0.5", "html-to-text": "^9.0.5",
"ioredis": "^5.3.2", "ioredis": "^5.3.2",
"ip-matching": "^2.1.2", "ip-matching": "^2.1.2",
@ -95,7 +97,6 @@
"markdown-it-container": "^4.0.0", "markdown-it-container": "^4.0.0",
"markdown-it-toc-done-right": "^4.2.0", "markdown-it-toc-done-right": "^4.2.0",
"media-manager": "workspace:*", "media-manager": "workspace:*",
"megalodon": "^10.0.0",
"meilisearch": "^0.38.0", "meilisearch": "^0.38.0",
"mime-types": "^2.1.35", "mime-types": "^2.1.35",
"oauth4webapi": "^2.4.0", "oauth4webapi": "^2.4.0",

11
server/api/api/v1/accounts/update_credentials/index.ts
View file

@ -97,19 +97,10 @@ export default apiRoute<typeof meta, typeof schema>(
const sanitizedNote = await sanitizeHtml(note ?? ""); const sanitizedNote = await sanitizeHtml(note ?? "");
const sanitizedDisplayName = display_name ?? ""; /* sanitize(display_name ?? "", { const sanitizedDisplayName = await sanitizeHtml(display_name ?? "", {
ALLOWED_TAGS: [], ALLOWED_TAGS: [],
ALLOWED_ATTR: [], ALLOWED_ATTR: [],
}); });
*/
/* if (!user.source) {
user.source = {
privacy: "public",
sensitive: false,
language: "en",
note: "",
};
} */
let mediaManager: MediaBackend; let mediaManager: MediaBackend;

19
utils/sanitization.ts
View file

@ -1,10 +1,14 @@
import { config } from "config-manager"; import { config } from "config-manager";
// import { sanitize } from "isomorphic-dompurify"; import type DOMPurify from "dompurify";
import createDomPurify from "dompurify";
import { Window } from "happy-dom";
export const sanitizeHtml = async (html: string) => { const window = new Window();
// TEMP: Allow all tags and attributes // @ts-expect-error Mismatch between types, but they're okay i swear
return html; const purifier = createDomPurify(window);
/* const sanitizedHtml = sanitize(html, {
export const sanitizeHtml = async (html: string, extraConfig?: DOMPurify.Config) => {
const sanitizedHtml = purifier.sanitize(html, {
ALLOWED_TAGS: [ ALLOWED_TAGS: [
"a", "a",
"p", "p",
@ -40,7 +44,8 @@ export const sanitizeHtml = async (html: string) => {
USE_PROFILES: { USE_PROFILES: {
mathMl: true, mathMl: true,
}, },
}); ...extraConfig,
}) as string;
// Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
const allowedClasses = [ const allowedClasses = [
@ -72,5 +77,5 @@ export const sanitizeHtml = async (html: string) => {
}, },
}) })
.transform(new Response(sanitizedHtml)) .transform(new Response(sanitizedHtml))
.text(); */ .text();
}; };