From 73098d106de4bc4570d10cc035febd1af06d674f Mon Sep 17 00:00:00 2001 From: Jason Hu Date: Sun, 26 Aug 2018 11:50:37 -0700 Subject: [PATCH] disableXssFilter ==> allowSvg (#1600) * disableXssFilter ==> allowSvg * Move allowSvg patch to _render() * Add comment --- src/components/ha-markdown.js | 16 +++++++++++++--- .../config/config-entries/ha-config-flow.js | 2 +- src/panels/profile/ha-mfa-module-setup-flow.js | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/components/ha-markdown.js b/src/components/ha-markdown.js index 5723c6e992..c09267a398 100644 --- a/src/components/ha-markdown.js +++ b/src/components/ha-markdown.js @@ -3,6 +3,12 @@ import EventsMixin from '../mixins/events-mixin.js'; let loaded = null; +/** + * White list allowed svg tag. + * Only put in the tag used in QR code, can be extend in future. + */ +const svgWhiteList = ['svg', 'path']; + /* * @appliesMixin EventsMixin */ @@ -13,7 +19,7 @@ class HaMarkdown extends EventsMixin(PolymerElement) { type: String, observer: '_render', }, - disableXssFilter: { + allowSvg: { type: Boolean, value: false, }, @@ -33,7 +39,7 @@ class HaMarkdown extends EventsMixin(PolymerElement) { loaded.then( ({ marked, filterXSS }) => { this.marked = marked; - this.filterXSS = this.disableXssFilter ? c => c : filterXSS; + this.filterXSS = filterXSS; this._scriptLoaded = 1; }, () => { this._scriptLoaded = 2; }, @@ -54,7 +60,11 @@ class HaMarkdown extends EventsMixin(PolymerElement) { gfm: true, tables: true, breaks: true - })); + }), { + onIgnoreTag: this.allowSvg + ? (tag, html) => (svgWhiteList.indexOf(tag) >= 0 ? html : null) + : null + }); this._resize(); const walker = document.createTreeWalker(this, 1 /* SHOW_ELEMENT */, null, false); diff --git a/src/panels/config/config-entries/ha-config-flow.js b/src/panels/config/config-entries/ha-config-flow.js index 1d1c8d3cfe..4da8189094 100644 --- a/src/panels/config/config-entries/ha-config-flow.js +++ b/src/panels/config/config-entries/ha-config-flow.js @@ -71,7 +71,7 @@ class HaConfigFlow extends