Merge branch 'card-sanitize' into 'main'
Sanitize PreviewCard html See merge request soapbox-pub/soapbox!2950
This commit is contained in:
Alex Gleason
commit
97e52b9c07
1 changed files with 28 additions and 0 deletions
|
|
@ -1,5 +1,6 @@
|
||||||
import punycode from 'punycode';
|
import punycode from 'punycode';
|
||||||
|
|
||||||
|
import DOMPurify from 'isomorphic-dompurify';
|
||||||
import { z } from 'zod';
|
import { z } from 'zod';
|
||||||
|
|
||||||
import { groupSchema } from './group';
|
import { groupSchema } from './group';
|
||||||
|
|
@ -54,6 +55,33 @@ const cardSchema = z.object({
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const html = DOMPurify.sanitize(card.html, {
|
||||||
|
ALLOWED_TAGS: ['iframe'],
|
||||||
|
ALLOWED_ATTR: ['src', 'width', 'height', 'frameborder', 'allowfullscreen'],
|
||||||
|
RETURN_DOM: true,
|
||||||
|
});
|
||||||
|
|
||||||
|
html.querySelectorAll('iframe').forEach((frame) => {
|
||||||
|
try {
|
||||||
|
const src = new URL(frame.src);
|
||||||
|
if (src.protocol !== 'https:') {
|
||||||
|
throw new Error('iframe must be https');
|
||||||
|
}
|
||||||
|
if (src.origin === location.origin) {
|
||||||
|
throw new Error('iframe must not be same origin');
|
||||||
|
}
|
||||||
|
frame.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-presentation');
|
||||||
|
} catch (e) {
|
||||||
|
frame.remove();
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
card.html = html.innerHTML;
|
||||||
|
|
||||||
|
if (!card.html) {
|
||||||
|
card.type = 'link';
|
||||||
|
}
|
||||||
|
|
||||||
return card;
|
return card;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue