From 52658d6e44151071e0eac72550c49735efa6d756 Mon Sep 17 00:00:00 2001 From: "G.Ambatte" Date: Tue, 2 Jul 2024 15:34:40 +1200 Subject: [PATCH] Remove vue-html-secure package --- client/homebrew/brewRenderer/brewRenderer.jsx | 4 +- client/homebrew/brewRenderer/safeHTML.js | 44 +++++++++++++++++++ package-lock.json | 8 +--- package.json | 3 +- 4 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 client/homebrew/brewRenderer/safeHTML.js diff --git a/client/homebrew/brewRenderer/brewRenderer.jsx b/client/homebrew/brewRenderer/brewRenderer.jsx index 09f60cb5d..5badaa880 100644 --- a/client/homebrew/brewRenderer/brewRenderer.jsx +++ b/client/homebrew/brewRenderer/brewRenderer.jsx @@ -27,7 +27,7 @@ const INITIAL_CONTENT = dedent`
`; -let safeHTML = ()=>{}; +import { safeHTML } from './safeHTML.js'; //v=====----------------------< Brew Page Component >---------------------=====v// const BrewPage = (props)=>{ @@ -170,8 +170,6 @@ const BrewRenderer = (props)=>{ }; const frameDidMount = ()=>{ //This triggers when iFrame finishes internal "componentDidMount" - safeHTML = require('vue-html-secure').safeHTML; - setTimeout(()=>{ //We still see a flicker where the style isn't applied yet, so wait 100ms before showing iFrame updateSize(); window.addEventListener('resize', updateSize); diff --git a/client/homebrew/brewRenderer/safeHTML.js b/client/homebrew/brewRenderer/safeHTML.js new file mode 100644 index 000000000..a13211907 --- /dev/null +++ b/client/homebrew/brewRenderer/safeHTML.js @@ -0,0 +1,44 @@ +let doc = null; +let div = null; + +function safeHTML(htmlString) { + // If the Document interface doesn't exist, exit + if(!document) return null; + // If the test document and div don't exist, create them + if(!doc) doc = document.implementation.createHTMLDocument(''); + if(!div) div = doc.createElement('div'); + + // Set the test div contents to the evaluation string + div.innerHTML = htmlString; + // Grab all nodes from the test div + const elements = div.querySelectorAll('*'); + + // Blacklisted tags + const blacklistTags = ['script', 'noscript', 'noembed']; + // Tests to remove attributes + const blacklistAttrs = [ + (test)=>{return test.localName.indexOf('on') == 0;}, + (test)=>{return test.value.replace(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g, '').toLowerCase().trim().indexOf('javascript:') == 0;} + ]; + + + elements.forEach((element)=>{ + // Check each element for blacklisted type + if(blacklistTags.includes(element?.localName?.toLowerCase())) { + element.parentNode.removeChild(element); + return; + } + // Check remaining elements for blacklisted attributes + if(element.hasAttributes()){ + for (const attribute of element.attributes){ + let result = false; + blacklistAttrs.forEach((test)=>{result ||= test(attribute);}); + if(result) element.removeAttribute(attribute.localName); + }; + }; + }); + + return div.innerHTML; +}; + +module.exports.safeHTML = safeHTML; \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index d11c6384f..a7c9c48c7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -46,8 +46,7 @@ "react-router-dom": "6.23.1", "sanitize-filename": "1.6.3", "superagent": "^9.0.2", - "vitreum": "git+https://git@github.com/calculuschild/vitreum.git", - "vue-html-secure": "^1.0.10" + "vitreum": "git+https://git@github.com/calculuschild/vitreum.git" }, "devDependencies": { "eslint": "^8.57.0", @@ -14623,11 +14622,6 @@ "resolved": "https://registry.npmjs.org/vm-browserify/-/vm-browserify-1.1.2.tgz", "integrity": "sha512-2ham8XPWTONajOR0ohOKOHXkm3+gaBmGut3SRuu75xLd/RRaY6vqgh8NBYYk7+RW3u5AtzPQZG8F10LHkl0lAQ==" }, - "node_modules/vue-html-secure": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/vue-html-secure/-/vue-html-secure-1.0.10.tgz", - "integrity": "sha512-Cvlg0vYQiRxouXMFHQ87n5AIadl8SnrTNKbNENhJMlQIyrFkbXZ8yjn4c03BB0BeoPOf8vHKSx8f4yR3BIqYjQ==" - }, "node_modules/walker": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/walker/-/walker-1.0.8.tgz", diff --git a/package.json b/package.json index 18a8dde0f..60041a1fe 100644 --- a/package.json +++ b/package.json @@ -118,8 +118,7 @@ "react-router-dom": "6.23.1", "sanitize-filename": "1.6.3", "superagent": "^9.0.2", - "vitreum": "git+https://git@github.com/calculuschild/vitreum.git", - "vue-html-secure": "^1.0.10" + "vitreum": "git+https://git@github.com/calculuschild/vitreum.git" }, "devDependencies": { "eslint": "^8.57.0",