Merge branch 'card-sanitize' into 'main'
Sanitize PreviewCard html See merge request soapbox-pub/soapbox!2950
This commit is contained in:
Alex Gleason
commit
97e52b9c07
1 changed files with 28 additions and 0 deletions
|
|
@ -1,5 +1,6 @@
|
|||
import punycode from 'punycode';
|
||||
|
||||
import DOMPurify from 'isomorphic-dompurify';
|
||||
import { z } from 'zod';
|
||||
|
||||
import { groupSchema } from './group';
|
||||
|
|
@ -54,6 +55,33 @@ const cardSchema = z.object({
|
|||
}
|
||||
}
|
||||
|
||||
const html = DOMPurify.sanitize(card.html, {
|
||||
ALLOWED_TAGS: ['iframe'],
|
||||
ALLOWED_ATTR: ['src', 'width', 'height', 'frameborder', 'allowfullscreen'],
|
||||
RETURN_DOM: true,
|
||||
});
|
||||
|
||||
html.querySelectorAll('iframe').forEach((frame) => {
|
||||
try {
|
||||
const src = new URL(frame.src);
|
||||
if (src.protocol !== 'https:') {
|
||||
throw new Error('iframe must be https');
|
||||
}
|
||||
if (src.origin === location.origin) {
|
||||
throw new Error('iframe must not be same origin');
|
||||
}
|
||||
frame.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-presentation');
|
||||
} catch (e) {
|
||||
frame.remove();
|
||||
}
|
||||
});
|
||||
|
||||
card.html = html.innerHTML;
|
||||
|
||||
if (!card.html) {
|
||||
card.type = 'link';
|
||||
}
|
||||
|
||||
return card;
|
||||
});
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue