bigbuffet/pleroma
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Sanitize PreviewCard html

Browse source
This commit is contained in:
Alex Gleason 2024-03-14 19:01:07 -05:00
parent 4426e9c481
commit d53c1c2227
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
1 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/schemas/card.ts
View file

@ -1,5 +1,6 @@
import punycode from 'punycode';
import DOMPurify from 'isomorphic-dompurify';
import { z } from 'zod';
import { groupSchema } from './group';
@ -54,6 +55,29 @@ const cardSchema = z.object({
}
}
const html = DOMPurify.sanitize(card.html, {
ALLOWED_TAGS: ['iframe'],
ALLOWED_ATTR: ['src', 'width', 'height', 'frameborder', 'allowfullscreen'],
RETURN_DOM: true,
});
html.querySelectorAll('iframe').forEach((frame) => {
try {
const src = new URL(frame.src);
if (src.protocol !== 'https:') {
throw new Error('iframe must be https');
}
if (src.origin === location.origin) {
throw new Error('iframe must not be same origin');
}
frame.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-presentation');
} catch (e) {
frame.remove();
}
});
card.html = html.outerHTML;
return card;
});