Whitelist tags/attributes instead of allow-all (#3657)

2025-07-30 12:46:35 +00:00 · 2019-09-08 23:47:28 -07:00 · 2019-09-08 23:47:28 -07:00 · c4d888f060
commit c4d888f060
parent fe31f532b6
1 changed files with 31 additions and 8 deletions
--- a/src/resources/markdown_worker.ts
+++ b/src/resources/markdown_worker.ts
@ -2,9 +2,12 @@ import marked from "marked";
 // @ts-ignore
 import filterXSS from "xss";

-const allowedSvgTags = ["svg", "path"];
+interface WhiteList {
+  [tag: string]: string[];
+}

-const allowedTag = (tag: string) => tag === "ha-icon";
+let whiteListNormal: WhiteList | undefined;
+let whiteListSvg: WhiteList | undefined;

 export const renderMarkdown = (
  content: string,
@ -13,10 +16,30 @@ export const renderMarkdown = (
    // Do not allow SVG on untrusted content, it allows XSS.
    allowSvg?: boolean;
  } = {}
-) =>
-  filterXSS(marked(content, markedOptions), {
-    onIgnoreTag: hassOptions.allowSvg
-      ? (tag, html) =>
-          allowedTag(tag) || allowedSvgTags.includes(tag) ? html : null
-      : (tag, html) => (allowedTag(tag) ? html : null),
+) => {
+  if (!whiteListNormal) {
+    whiteListNormal = {
+      ...filterXSS.whiteList,
+      "ha-icon": ["icon"],
+    };
+  }
+
+  let whiteList: WhiteList | undefined;
+
+  if (hassOptions.allowSvg) {
+    if (!whiteListSvg) {
+      whiteListSvg = {
+        ...whiteListNormal,
+        svg: ["xmlns", "height", "width"],
+        path: ["transform", "stroke", "d"],
+      };
+    }
+    whiteList = whiteListSvg;
+  } else {
+    whiteList = whiteListNormal;
+  }
+
+  return filterXSS(marked(content, markedOptions), {
+    whiteList,
  });
+};