diff options
| author | dakkar <dakkar@thenautilus.net> | 2024-05-07 20:19:52 +0000 |
|---|---|---|
| committer | Ember <acomputerdog@gmail.com> | 2024-05-07 20:19:52 +0000 |
| commit | 2c40dd31f32edffcc8f1da7bea53b14589c5d2ad (patch) | |
| tree | 3be0a644212a33a4d633ed40316b424cd1408c43 | |
| parent | merge: fix: `MkPageWindow` doesn't render custom emojis in the titlebar when ... (diff) | |
| download | sharkey-2c40dd31f32edffcc8f1da7bea53b14589c5d2ad.tar.gz sharkey-2c40dd31f32edffcc8f1da7bea53b14589c5d2ad.tar.bz2 sharkey-2c40dd31f32edffcc8f1da7bea53b14589c5d2ad.zip | |
laxer HTML sanitisation for admin-controlled text - fixes #447
4 files changed, 21 insertions, 3 deletions
diff --git a/packages/frontend/src/components/MkSignupDialog.rules.vue b/packages/frontend/src/components/MkSignupDialog.rules.vue index 18a9eeda23..c2435b308f 100644 --- a/packages/frontend/src/components/MkSignupDialog.rules.vue +++ b/packages/frontend/src/components/MkSignupDialog.rules.vue @@ -65,7 +65,7 @@ SPDX-License-Identifier: AGPL-3.0-only import { computed, ref } from 'vue'; import { instance } from '@/instance.js'; import { i18n } from '@/i18n.js'; -import sanitizeHtml from 'sanitize-html'; +import sanitizeHtml from '@/scripts/sanitize-html.js'; import MkButton from '@/components/MkButton.vue'; import MkFolder from '@/components/MkFolder.vue'; import MkSwitch from '@/components/MkSwitch.vue'; diff --git a/packages/frontend/src/components/MkVisitorDashboard.vue b/packages/frontend/src/components/MkVisitorDashboard.vue index d8e6ba9a09..f9f16c594e 100644 --- a/packages/frontend/src/components/MkVisitorDashboard.vue +++ b/packages/frontend/src/components/MkVisitorDashboard.vue @@ -56,7 +56,7 @@ SPDX-License-Identifier: AGPL-3.0-only <script lang="ts" setup> import { ref } from 'vue'; import * as Misskey from 'misskey-js'; -import sanitizeHtml from 'sanitize-html'; +import sanitizeHtml from '@/scripts/sanitize-html.js'; import XSigninDialog from '@/components/MkSigninDialog.vue'; import XSignupDialog from '@/components/MkSignupDialog.vue'; import MkButton from '@/components/MkButton.vue'; diff --git a/packages/frontend/src/pages/about.vue b/packages/frontend/src/pages/about.vue index f2aceada7d..23960d39d9 100644 --- a/packages/frontend/src/pages/about.vue +++ b/packages/frontend/src/pages/about.vue @@ -130,7 +130,7 @@ SPDX-License-Identifier: AGPL-3.0-only </template> <script lang="ts" setup> -import sanitizeHtml from 'sanitize-html'; +import sanitizeHtml from '@/scripts/sanitize-html.js'; import { computed, watch, ref } from 'vue'; import * as Misskey from 'misskey-js'; import XEmojis from './about.emojis.vue'; diff --git a/packages/frontend/src/scripts/sanitize-html.ts b/packages/frontend/src/scripts/sanitize-html.ts new file mode 100644 index 0000000000..6e1a46c746 --- /dev/null +++ b/packages/frontend/src/scripts/sanitize-html.ts @@ -0,0 +1,18 @@ +/* + * SPDX-FileCopyrightText: dakkar and other Sharkey contributors + * SPDX-License-Identifier: AGPL-3.0-only +*/ + +import original from 'sanitize-html'; + +export default function sanitizeHtml(str: string | null): string | null { + if (str == null) return str; + return original(str, { + allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center', 'details', 'summary']), + allowedAttributes: { + ...original.defaults.allowedAttributes, + a: original.defaults.allowedAttributes.a.concat(['style']), + img: original.defaults.allowedAttributes.img.concat(['style']), + }, + }); +} |