From 28b63bac38ce9cd2b50e0e6db525e0a3a5a972e0 Mon Sep 17 00:00:00 2001
From: Emma Alexia Triphora <emma@modrinth.com>
Date: Sun, 24 Sep 2023 09:07:22 -0400
Subject: [PATCH] Update XSS values to be consistent with knossos (#93)

Implements modrinth/knossos#1208
Implements modrinth/knossos#1239

Also closes modrinth/knossos#1371
---
 lib/helpers/parse.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/helpers/parse.js b/lib/helpers/parse.js
index 861ce9025..c38b8a296 100644
--- a/lib/helpers/parse.js
+++ b/lib/helpers/parse.js
@@ -20,11 +20,14 @@ export const configuredXss = new xss.FilterXSS({
     a: [...xss.whiteList.a, 'rel'],
     td: [...xss.whiteList.td, 'style'],
     th: [...xss.whiteList.th, 'style'],
+    picture: [],
+    source: ['media', 'sizes', 'src', 'srcset', 'type'],
   },
   css: {
     whiteList: {
       'image-rendering': /^pixelated$/,
       'text-align': /^center|left|right$/,
+      float: /^left|right$/,
     },
   },
   onIgnoreTagAttr: (tag, name, value) => {
@@ -68,6 +71,10 @@ export const configuredXss = new xss.FilterXSS({
       try {
         const url = new URL(value)
 
+        if (url.hostname.includes('wsrv.nl')) {
+          url.searchParams.delete('errorredirect')
+        }
+
         const allowedHostnames = [
           'imgur.com',
           'i.imgur.com',
@@ -88,9 +95,11 @@ export const configuredXss = new xss.FilterXSS({
           return xss.safeAttrValue(
             tag,
             name,
-            `https://wsrv.nl/?url=${encodeURIComponent(value)}&n=-1`,
+            `https://wsrv.nl/?url=${encodeURIComponent(url.toString())}&n=-1`,
             cssFilter
           )
+        } else {
+          return xss.safeAttrValue(tag, name, url.toString(), cssFilter)
         }
       } catch (err) {
         /* empty */