disableXssFilter ==> allowSvg (#1600)

* disableXssFilter ==> allowSvg * Move allowSvg patch to _render() * Add comment
2025-07-19 07:16:39 +00:00 · 2018-08-26 11:50:37 -07:00 · 2018-08-26 11:50:37 -07:00 · 73098d106d
commit 73098d106d
parent c8ea4cd85e
3 changed files with 15 additions and 5 deletions
--- a/src/components/ha-markdown.js
+++ b/src/components/ha-markdown.js
@ -3,6 +3,12 @@ import EventsMixin from '../mixins/events-mixin.js';

 let loaded = null;

+/**
+ * White list allowed svg tag.
+ * Only put in the tag used in QR code, can be extend in future.
+ */
+const svgWhiteList = ['svg', 'path'];
+
 /*
 * @appliesMixin EventsMixin
 */
@ -13,7 +19,7 @@ class HaMarkdown extends EventsMixin(PolymerElement) {
        type: String,
        observer: '_render',
      },
-      disableXssFilter: {
+      allowSvg: {
        type: Boolean,
        value: false,
      },
@ -33,7 +39,7 @@ class HaMarkdown extends EventsMixin(PolymerElement) {
    loaded.then(
      ({ marked, filterXSS }) => {
        this.marked = marked;
-        this.filterXSS = this.disableXssFilter ? c => c : filterXSS;
+        this.filterXSS = filterXSS;
        this._scriptLoaded = 1;
      },
      () => { this._scriptLoaded = 2; },
@ -54,7 +60,11 @@ class HaMarkdown extends EventsMixin(PolymerElement) {
          gfm: true,
          tables: true,
          breaks: true
-        }));
+        }), {
+          onIgnoreTag: this.allowSvg
+            ? (tag, html) => (svgWhiteList.indexOf(tag) >= 0 ? html : null)
+            : null
+        });
        this._resize();

        const walker = document.createTreeWalker(this, 1 /* SHOW_ELEMENT */, null, false);
--- a/src/panels/config/config-entries/ha-config-flow.js
+++ b/src/panels/config/config-entries/ha-config-flow.js
@ -71,7 +71,7 @@ class HaConfigFlow extends

          <template is="dom-if" if="[[_equals(_step.type, 'form')]]">
            <template is="dom-if" if="[[_computeStepDescription(localize, _step)]]">
-              <ha-markdown content="[[_computeStepDescription(localize, _step)]]" disable-xss-filter></ha-markdown>
+              <ha-markdown content="[[_computeStepDescription(localize, _step)]]" allow-svg></ha-markdown>
            </template>

            <ha-form
--- a/src/panels/profile/ha-mfa-module-setup-flow.js
+++ b/src/panels/profile/ha-mfa-module-setup-flow.js
@ -71,7 +71,7 @@ class HaMfaModuleSetupFlow extends

          <template is="dom-if" if="[[_equals(_step.type, 'form')]]">
            <template is="dom-if" if="[[_computeStepDescription(localize, _step)]]">
-              <ha-markdown content="[[_computeStepDescription(localize, _step)]]" disable-xss-filter></ha-markdown>
+              <ha-markdown content="[[_computeStepDescription(localize, _step)]]" allow-svg></ha-markdown>
            </template>

            <ha-form