gorb/frontend
4
0
Fork 0
Code Issues 7 Pull requests 3 Projects Releases Packages 1 Wiki Activity Actions

feat: add more restrictions to markdown sanitization
All checks were successful
ci/woodpecker/push/build-and-publish Pipeline was successful
Details

Browse source
This commit is contained in:
SauceyRed 2025-07-07 19:53:50 +02:00
parent f8ede8385e
commit 0c6cae110f
No known key found for this signature in database
GPG key ID: 6AD2337BB02E657B
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
components/Message.vue
View file

@ -60,7 +60,16 @@ const sanitized = ref<string>();
onMounted(async () => { onMounted(async () => {
const parsed = await parse(props.text, { gfm: true }); const parsed = await parse(props.text, { gfm: true });
sanitized.value = DOMPurify.sanitize(parsed, { ALLOWED_TAGS: ["strong", "em", "br", "blockquote", "code", "ul", "ol", "li", "a", "h1", "h2", "h3", "h4", "h5", "h6"] }); sanitized.value = DOMPurify.sanitize(parsed, {
ALLOWED_TAGS: [
"strong", "em", "br", "blockquote",
"code", "ul", "ol", "li", "a", "h1",
"h2", "h3", "h4", "h5", "h6"
],
ALLOW_DATA_ATTR: false,
ALLOW_SELF_CLOSE_IN_ATTR: false,
ALLOWED_ATTR: []
});
console.log("adding listeners") console.log("adding listeners")
await nextTick(); await nextTick();
messageElement.value?.addEventListener("mouseenter", (e: Event) => { messageElement.value?.addEventListener("mouseenter", (e: Event) => {