wikijs-fork/server/modules/rendering/html-security/renderer.js

const { JSDOM } = require('jsdom')
const createDOMPurify = require('dompurify')

module.exports = {
  async init(input, config) {
    if (config.safeHTML) {
      const window = new JSDOM('').window
      const DOMPurify = createDOMPurify(window)

      const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content', 'target']
      const allowedTags = ['tabset', 'template']

      if (config.allowIFrames) {
        allowedTags.push('iframe')
      }

      input = DOMPurify.sanitize(input, {
        ADD_ATTR: allowedAttrs,
        ADD_TAGS: allowedTags
      })
    }
    return input
  }
}
fix: escape mustache template chars in content 2020-05-08 21:00:02 +00:00			`const { JSDOM } = require('jsdom')`
			`const createDOMPurify = require('dompurify')`
feat: html code highlighter 2018-09-16 04:35:03 +00:00
feat: rendering security module 2019-12-12 04:35:54 +00:00			`module.exports = {`
			`async init(input, config) {`
			`if (config.safeHTML) {`
fix: escape mustache template chars in content 2020-05-08 21:00:02 +00:00			`const window = new JSDOM('').window`
			`const DOMPurify = createDOMPurify(window)`

fix: secure html module removes target attribute from links (#2012) 2020-06-07 23:23:33 +00:00			`const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content', 'target']`
fix: escape mustache template chars in content 2020-05-08 21:00:02 +00:00			`const allowedTags = ['tabset', 'template']`

			`if (config.allowIFrames) {`
			`allowedTags.push('iframe')`
			`}`

			`input = DOMPurify.sanitize(input, {`
			`ADD_ATTR: allowedAttrs,`
			`ADD_TAGS: allowedTags`
feat: rendering security module 2019-12-12 04:35:54 +00:00			`})`
			`}`
			`return input`
feat: html code highlighter 2018-09-16 04:35:03 +00:00			`}`
			`}`