From d53c1c222794a9eb533a6a4c0f9487e50e09d47b Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Thu, 14 Mar 2024 19:01:07 -0500 Subject: [PATCH 1/2] Sanitize PreviewCard html --- src/schemas/card.ts | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/schemas/card.ts b/src/schemas/card.ts index d35c9f1098..f28b5eee64 100644 --- a/src/schemas/card.ts +++ b/src/schemas/card.ts @@ -1,5 +1,6 @@ import punycode from 'punycode'; +import DOMPurify from 'isomorphic-dompurify'; import { z } from 'zod'; import { groupSchema } from './group'; @@ -54,6 +55,29 @@ const cardSchema = z.object({ } } + const html = DOMPurify.sanitize(card.html, { + ALLOWED_TAGS: ['iframe'], + ALLOWED_ATTR: ['src', 'width', 'height', 'frameborder', 'allowfullscreen'], + RETURN_DOM: true, + }); + + html.querySelectorAll('iframe').forEach((frame) => { + try { + const src = new URL(frame.src); + if (src.protocol !== 'https:') { + throw new Error('iframe must be https'); + } + if (src.origin === location.origin) { + throw new Error('iframe must not be same origin'); + } + frame.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-presentation'); + } catch (e) { + frame.remove(); + } + }); + + card.html = html.outerHTML; + return card; }); From 8633eca37dff6e9a759e5b3f4420d33945b8a8d2 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Thu, 14 Mar 2024 19:09:00 -0500 Subject: [PATCH 2/2] cardSchema: take innerHTML instead, force type to 'link' if html is empty --- src/schemas/card.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/schemas/card.ts b/src/schemas/card.ts index f28b5eee64..dc4ba2e6b2 100644 --- a/src/schemas/card.ts +++ b/src/schemas/card.ts @@ -76,7 +76,11 @@ const cardSchema = z.object({ } }); - card.html = html.outerHTML; + card.html = html.innerHTML; + + if (!card.html) { + card.type = 'link'; + } return card; });