mirror of
https://codeberg.org/yeentown/barkey
synced 2024-11-26 00:35:15 +00:00
laxer HTML sanitisation for admin-controlled text - fixes #447
This commit is contained in:
parent
9de4e3c7aa
commit
2c40dd31f3
4 changed files with 21 additions and 3 deletions
|
@ -65,7 +65,7 @@ SPDX-License-Identifier: AGPL-3.0-only
|
|||
import { computed, ref } from 'vue';
|
||||
import { instance } from '@/instance.js';
|
||||
import { i18n } from '@/i18n.js';
|
||||
import sanitizeHtml from 'sanitize-html';
|
||||
import sanitizeHtml from '@/scripts/sanitize-html.js';
|
||||
import MkButton from '@/components/MkButton.vue';
|
||||
import MkFolder from '@/components/MkFolder.vue';
|
||||
import MkSwitch from '@/components/MkSwitch.vue';
|
||||
|
|
|
@ -56,7 +56,7 @@ SPDX-License-Identifier: AGPL-3.0-only
|
|||
<script lang="ts" setup>
|
||||
import { ref } from 'vue';
|
||||
import * as Misskey from 'misskey-js';
|
||||
import sanitizeHtml from 'sanitize-html';
|
||||
import sanitizeHtml from '@/scripts/sanitize-html.js';
|
||||
import XSigninDialog from '@/components/MkSigninDialog.vue';
|
||||
import XSignupDialog from '@/components/MkSignupDialog.vue';
|
||||
import MkButton from '@/components/MkButton.vue';
|
||||
|
|
|
@ -130,7 +130,7 @@ SPDX-License-Identifier: AGPL-3.0-only
|
|||
</template>
|
||||
|
||||
<script lang="ts" setup>
|
||||
import sanitizeHtml from 'sanitize-html';
|
||||
import sanitizeHtml from '@/scripts/sanitize-html.js';
|
||||
import { computed, watch, ref } from 'vue';
|
||||
import * as Misskey from 'misskey-js';
|
||||
import XEmojis from './about.emojis.vue';
|
||||
|
|
18
packages/frontend/src/scripts/sanitize-html.ts
Normal file
18
packages/frontend/src/scripts/sanitize-html.ts
Normal file
|
@ -0,0 +1,18 @@
|
|||
/*
|
||||
* SPDX-FileCopyrightText: dakkar and other Sharkey contributors
|
||||
* SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
import original from 'sanitize-html';
|
||||
|
||||
export default function sanitizeHtml(str: string | null): string | null {
|
||||
if (str == null) return str;
|
||||
return original(str, {
|
||||
allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center', 'details', 'summary']),
|
||||
allowedAttributes: {
|
||||
...original.defaults.allowedAttributes,
|
||||
a: original.defaults.allowedAttributes.a.concat(['style']),
|
||||
img: original.defaults.allowedAttributes.img.concat(['style']),
|
||||
},
|
||||
});
|
||||
}
|
Loading…
Reference in a new issue