eightequal/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

Update XSS values to be consistent with knossos (#93)

Browse Source 
Implements modrinth/knossos#1208
Implements modrinth/knossos#1239

Also closes modrinth/knossos#1371
This commit is contained in:
Emma Alexia Triphora
2023-09-24 09:07:22 -04:00
committed by GitHub
parent ae7f7e9bd6
commit 28b63bac38
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/helpers/parse.js
View File

@@ -20,11 +20,14 @@ export const configuredXss = new xss.FilterXSS({
a: [...xss.whiteList.a, 'rel'], a: [...xss.whiteList.a, 'rel'],
td: [...xss.whiteList.td, 'style'], td: [...xss.whiteList.td, 'style'],
th: [...xss.whiteList.th, 'style'], th: [...xss.whiteList.th, 'style'],
picture: [],
source: ['media', 'sizes', 'src', 'srcset', 'type'],
}, },
css: { css: {
whiteList: { whiteList: {
'image-rendering': /^pixelated$/, 'image-rendering': /^pixelated$/,
'text-align': /^center|left|right$/, 'text-align': /^center|left|right$/,
float: /^left|right$/,
}, },
}, },
onIgnoreTagAttr: (tag, name, value) => { onIgnoreTagAttr: (tag, name, value) => {
@@ -68,6 +71,10 @@ export const configuredXss = new xss.FilterXSS({
try { try {
const url = new URL(value) const url = new URL(value)
if (url.hostname.includes('wsrv.nl')) {
url.searchParams.delete('errorredirect')
}
const allowedHostnames = [ const allowedHostnames = [
'imgur.com', 'imgur.com',
'i.imgur.com', 'i.imgur.com',
@@ -88,9 +95,11 @@ export const configuredXss = new xss.FilterXSS({
return xss.safeAttrValue( return xss.safeAttrValue(
tag, tag,
name, name,
`https://wsrv.nl/?url=${encodeURIComponent(value)}&n=-1`, `https://wsrv.nl/?url=${encodeURIComponent(url.toString())}&n=-1`,
cssFilter cssFilter
) )
} else {
return xss.safeAttrValue(tag, name, url.toString(), cssFilter)
} }
} catch (err) { } catch (err) {
/* empty */ /* empty */