Knossos Catch-up (#58)

* Knossos Catch-up * bump version * fix build * fix build again * Fix lint * downgrade pnpm * fix modals * fix btn style * add missing styles
2023-05-28 16:36:49 -04:00
parent bbb2539ace
commit 1db59fc052
21 changed files with 3014 additions and 1992 deletions
--- a/lib/helpers/parse.js
+++ b/lib/helpers/parse.js
@@ -14,7 +14,9 @@ export const configuredXss = new xss.FilterXSS({
    kbd: ['id'],
    input: ['checked', 'disabled', 'type'],
    iframe: ['width', 'height', 'allowfullscreen', 'frameborder', 'start', 'end'],
-    img: [...xss.whiteList.img, 'style'],
+    img: [...xss.whiteList.img, 'usemap'],
+    map: ['name'],
+    area: [...xss.whiteList.a, 'coords'],
    a: [...xss.whiteList.a, 'rel'],
  },
  css: {
@@ -56,6 +58,42 @@ export const configuredXss = new xss.FilterXSS({
      return name + '="' + xss.escapeAttrValue(value) + '"'
    }
  },
+  safeAttrValue(tag, name, value, cssFilter) {
+    if (tag === 'img' && name === 'src' && !value.startsWith('data:')) {
+      try {
+        const url = new URL(value)
+
+        const allowedHostnames = [
+          'imgur.com',
+          'i.imgur.com',
+          'cdn-raw.modrinth.com',
+          'cdn.modrinth.com',
+          'staging-cdn-raw.modrinth.com',
+          'staging-cdn.modrinth.com',
+          'github.com',
+          'raw.githubusercontent.com',
+          'img.shields.io',
+          'i.postimg.cc',
+          'wsrv.nl',
+          'cf.way2muchnoise.eu',
+          'bstats.org',
+        ]
+
+        if (!allowedHostnames.includes(url.hostname)) {
+          return xss.safeAttrValue(
+            tag,
+            name,
+            `https://wsrv.nl/?url=${encodeURIComponent(value)}&n=-1`,
+            cssFilter
+          )
+        }
+      } catch (err) {
+        /* empty */
+      }
+    }
+
+    return xss.safeAttrValue(tag, name, value, cssFilter)
+  },
 })

 export const md = (options = {}) => {
@@ -96,47 +134,6 @@ export const md = (options = {}) => {
    return defaultLinkOpenRenderer(tokens, idx, options, env, self)
  }

-  const defaultImageRenderer =
-    md.renderer.rules.image ||
-    function (tokens, idx, options, _env, self) {
-      return self.renderToken(tokens, idx, options)
-    }
-
-  md.renderer.rules.image = function (tokens, idx, options, env, self) {
-    const token = tokens[idx]
-    const index = token.attrIndex('src')
-
-    if (index !== -1) {
-      const src = token.attrs[index][1]
-
-      try {
-        const url = new URL(src)
-
-        const allowedHostnames = [
-          'imgur.com',
-          'i.imgur.com',
-          'cdn-raw.modrinth.com',
-          'cdn.modrinth.com',
-          'staging-cdn-raw.modrinth.com',
-          'staging-cdn.modrinth.com',
-          'github.com',
-          'raw.githubusercontent.com',
-          'img.shields.io',
-          'i.postimg.cc',
-        ]
-
-        if (allowedHostnames.includes(url.hostname)) {
-          return defaultImageRenderer(tokens, idx, options, env, self)
-        }
-      } catch (err) {
-        /* empty */
-      }
-      token.attrs[index][1] = `https://wsrv.nl/?url=${encodeURIComponent(src)}`
-    }
-
-    return defaultImageRenderer(tokens, idx, options, env, self)
-  }
-
  return md
 }