fix: draw.io svgs are no longer removed with linebreaks (#2415)

2020-09-12 14:05:24 -04:00
parent 02c3c66084
commit 8f6cba262f
5 changed files with 538 additions and 342 deletions
--- a/server/modules/rendering/html-security/definition.yml
+++ b/server/modules/rendering/html-security/definition.yml
@@ -14,9 +14,15 @@ props:
    default: true
    hint: Sanitize HTML from unsafe attributes and tags that could lead to XSS attacks
    order: 1
+  allowDrawIoUnsafe:
+    type: Boolean
+    title: Allow Draw.io Unsafe Elements
+    default: true
+    hint: Draw.io diagrams may introduce some elements that are usually filtered. Turning off this option may cause some diagrams to be completely removed during the sanitization process.
+    order: 2
  allowIFrames:
    type: Boolean
    title: Allow iframes
    default: false
    hint: iframes will not be stripped if enabled. (Not recommended)
-    order: 2
+    order: 3
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@@ -10,6 +10,23 @@ module.exports = {
      const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content', 'target']
      const allowedTags = ['tabset', 'template']

+      if (config.allowDrawIoUnsafe) {
+        allowedTags.push('foreignObject')
+        DOMPurify.addHook('uponSanitizeElement', (elm) => {
+          if (elm.querySelectorAll) {
+            const breaks = elm.querySelectorAll('foreignObject br, foreignObject p')
+            if (breaks && breaks.length) {
+              for (let i = 0; i < breaks.length; i++) {
+                breaks[i].parentNode.replaceChild(
+                  window.document.createElement('div'),
+                  breaks[i]
+                )
+              }
+            }
+          }
+        })
+      }
+
      if (config.allowIFrames) {
        allowedTags.push('iframe')
      }