wikijs-fork/server/modules/rendering/html-security/renderer.js
Иван 79c5b8fac2
fix: security html module removes allow attribute from iframes (#2354)
* fix: secure html module removes allowfullscreen, allow and frameborder attributes from iframes
* Apply suggestions from code review
fix: remove deprecated attributes for iframe in secure html module

Co-authored-by: Nicolas Giard <github@ngpixel.com>
2020-09-13 13:55:32 -04:00

43 lines
1.2 KiB
JavaScript

const { JSDOM } = require('jsdom')
const createDOMPurify = require('dompurify')
module.exports = {
async init(input, config) {
if (config.safeHTML) {
const window = new JSDOM('').window
const DOMPurify = createDOMPurify(window)
const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content', 'target']
const allowedTags = ['tabset', 'template']
if (config.allowDrawIoUnsafe) {
allowedTags.push('foreignObject')
DOMPurify.addHook('uponSanitizeElement', (elm) => {
if (elm.querySelectorAll) {
const breaks = elm.querySelectorAll('foreignObject br, foreignObject p')
if (breaks && breaks.length) {
for (let i = 0; i < breaks.length; i++) {
breaks[i].parentNode.replaceChild(
window.document.createElement('div'),
breaks[i]
)
}
}
}
})
}
if (config.allowIFrames) {
allowedTags.push('iframe')
allowedAttrs.push('allow')
}
input = DOMPurify.sanitize(input, {
ADD_ATTR: allowedAttrs,
ADD_TAGS: allowedTags
})
}
return input
}
}