xss injection security

justoverclockl · May 8, 2022 · 86c5fc4 · 86c5fc4
1 parent 56a95de
commit 86c5fc4
Show file tree

Hide file tree

Showing 6 changed files with 1,565 additions and 1,541 deletions.
diff --git a/js/dist/forum.js b/js/dist/forum.js
diff --git a/js/dist/forum.js.LICENSE.txt b/js/dist/forum.js.LICENSE.txt
diff --git a/js/dist/forum.js.map b/js/dist/forum.js.map
diff --git a/js/package.json b/js/package.json
@@ -17,6 +17,7 @@
     },
     "prettier": "@flarum/prettier-config",
     "dependencies": {
+        "dompurify": "^2.3.6",
         "flarum": "^0.1.0-beta.16"
     }
 }
diff --git a/js/src/forum/components/FirstVisitPopup.js b/js/src/forum/components/FirstVisitPopup.js
@@ -1,5 +1,6 @@
 import Modal from 'flarum/common/components/Modal';
 import app from 'flarum/forum/app';
+import DOMPurify from 'dompurify';
 
 export default class CustomModal extends Modal {
   static isDismissible = true;
@@ -8,7 +9,22 @@ export default class CustomModal extends Modal {
     super.oncreate(vnode);
     const modalContent = app.forum.attribute('justoverclock-first-visit-popup.modalContent');
     const modal = document.getElementById('fvp-modal');
-    modal.innerHTML = modalContent;
+    modal.innerHTML = DOMPurify.sanitize(modalContent, {
+      USE_PROFILES: { html: true },
+      FORCE_BODY: true,
+      ALLOWED_ATTR: ['style', 'class', 'type', 'href', 'rel'],
+      ALLOWED_TAGS: [
+        'link',
+        'figure',
+        'table',
+        'caption',
+        'thead',
+        'tr',
+        'th',
+        'tbody',
+        'td',
+      ],
+    });
   }
 
   className() {