Skip to content

Commit

Permalink
fix: sanitize dom first
Browse files Browse the repository at this point in the history
  • Loading branch information
@0x2E
0x2E committed Aug 3, 2024
1 parent 0f0d4a1 commit 2009a57
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions frontend/src/routes/items/+page.svelte
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@
{ tag: 'object', attrs: ['data'] }
];
const dom = new DOMParser().parseFromString(content, 'text/html');
const cleaned = DOMPurify.sanitize(content, { FORBID_ATTR: ['class', 'style'] });
const dom = new DOMParser().parseFromString(cleaned, 'text/html');
for (const el of elements) {
dom.querySelectorAll(el.tag).forEach((v) => {
for (const attr of el.attrs) {
Expand All @@ -54,14 +56,12 @@
}
});
const replaced = new XMLSerializer().serializeToString(dom);
// data.content = data.content.replace(/src="(.*?)"/g, (_, match) => {
// const res = new URL(match, data.link).href;
// return `src="${res}"`;
// });
// FIX: sanitize should be the first
return DOMPurify.sanitize(replaced, { FORBID_ATTR: ['class', 'style'] });
return new XMLSerializer().serializeToString(dom);
}
let fixActionbar = true;
Expand Down

0 comments on commit 2009a57

Please sign in to comment.