jeans/frontend
jeans/frontend
1
0
Fork 0
mirror of https://github.com/home-assistant/frontend.git synced 2025-07-30 12:46:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Whitelist tags/attributes instead of allow-all (#3657)

Browse Source
This commit is contained in:
Paulus Schoutsen 2019-09-08 23:47:28 -07:00 committed by GitHub
parent fe31f532b6
commit c4d888f060
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/resources/markdown_worker.ts
View File

@ -2,9 +2,12 @@ import marked from "marked";
// @ts-ignore // @ts-ignore
import filterXSS from "xss"; import filterXSS from "xss";
const allowedSvgTags = ["svg", "path"]; interface WhiteList {
[tag: string]: string[];
}
const allowedTag = (tag: string) => tag === "ha-icon"; let whiteListNormal: WhiteList | undefined;
let whiteListSvg: WhiteList | undefined;
export const renderMarkdown = ( export const renderMarkdown = (
content: string, content: string,
@ -13,10 +16,30 @@ export const renderMarkdown = (
// Do not allow SVG on untrusted content, it allows XSS. // Do not allow SVG on untrusted content, it allows XSS.
allowSvg?: boolean; allowSvg?: boolean;
} = {} } = {}
) => ) => {
filterXSS(marked(content, markedOptions), { if (!whiteListNormal) {
onIgnoreTag: hassOptions.allowSvg whiteListNormal = {
? (tag, html) => ...filterXSS.whiteList,
allowedTag(tag) || allowedSvgTags.includes(tag) ? html : null "ha-icon": ["icon"],
: (tag, html) => (allowedTag(tag) ? html : null), };
}
let whiteList: WhiteList | undefined;
if (hassOptions.allowSvg) {
if (!whiteListSvg) {
whiteListSvg = {
...whiteListNormal,
svg: ["xmlns", "height", "width"],
path: ["transform", "stroke", "d"],
};
}
whiteList = whiteListSvg;
} else {
whiteList = whiteListNormal;
}
return filterXSS(marked(content, markedOptions), {
whiteList,
}); });
};