Remove vue-html-secure package

client/homebrew/brewRenderer/brewRenderer.jsx

@@ -27,7 +27,7 @@ const INITIAL_CONTENT = dedent`
 	<base target=_blank>
 	</head><body style='overflow: hidden'><div></div></body></html>`;
 
-let safeHTML = ()=>{};
+import { safeHTML } from './safeHTML.js';
 
 //v=====----------------------< Brew Page Component >---------------------=====v//
 const BrewPage = (props)=>{
@@ -170,8 +170,6 @@ const BrewRenderer = (props)=>{
 	};
 
 	const frameDidMount = ()=>{	//This triggers when iFrame finishes internal "componentDidMount"
-		safeHTML = require('vue-html-secure').safeHTML;
-
 		setTimeout(()=>{	//We still see a flicker where the style isn't applied yet, so wait 100ms before showing iFrame
 			updateSize();
 			window.addEventListener('resize', updateSize);

client/homebrew/brewRenderer/safeHTML.js

@@ -0,0 +1,44 @@
+let doc = null;
+let div = null;
+
+function safeHTML(htmlString) {
+	// If the Document interface doesn't exist, exit
+	if(!document) return null;
+	// If the test document and div don't exist, create them
+	if(!doc) doc = document.implementation.createHTMLDocument('');
+	if(!div) div = doc.createElement('div');
+
+	// Set the test div contents to the evaluation string
+	div.innerHTML = htmlString;
+	// Grab all nodes from the test div
+	const elements = div.querySelectorAll('*');
+
+	// Blacklisted tags
+	const blacklistTags = ['script', 'noscript', 'noembed'];
+	// Tests to remove attributes
+	const blacklistAttrs = [
+		(test)=>{return test.localName.indexOf('on') == 0;},
+		(test)=>{return test.value.replace(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g, '').toLowerCase().trim().indexOf('javascript:') == 0;}
+	];
+
+
+	elements.forEach((element)=>{
+		// Check each element for blacklisted type
+		if(blacklistTags.includes(element?.localName?.toLowerCase())) {
+			element.parentNode.removeChild(element);
+			return;
+		}
+		// Check remaining elements for blacklisted attributes
+		if(element.hasAttributes()){
+			for (const attribute of element.attributes){
+				let result = false;
+				blacklistAttrs.forEach((test)=>{result ||= test(attribute);});
+				if(result) element.removeAttribute(attribute.localName);
+			};
+		};
+	});
+
+	return div.innerHTML;
+};
+
+module.exports.safeHTML = safeHTML;

package-lock.json

@@ -46,8 +46,7 @@
         "react-router-dom": "6.23.1",
         "sanitize-filename": "1.6.3",
         "superagent": "^9.0.2",
-        "vitreum": "git+https://git@github.com/calculuschild/vitreum.git",
+        "vitreum": "git+https://git@github.com/calculuschild/vitreum.git"
-        "vue-html-secure": "^1.0.10"
       },
       "devDependencies": {
         "eslint": "^8.57.0",
@@ -14623,11 +14622,6 @@
       "resolved": "https://registry.npmjs.org/vm-browserify/-/vm-browserify-1.1.2.tgz",
       "integrity": "sha512-2ham8XPWTONajOR0ohOKOHXkm3+gaBmGut3SRuu75xLd/RRaY6vqgh8NBYYk7+RW3u5AtzPQZG8F10LHkl0lAQ=="
     },
-    "node_modules/vue-html-secure": {
-      "version": "1.0.10",
-      "resolved": "https://registry.npmjs.org/vue-html-secure/-/vue-html-secure-1.0.10.tgz",
-      "integrity": "sha512-Cvlg0vYQiRxouXMFHQ87n5AIadl8SnrTNKbNENhJMlQIyrFkbXZ8yjn4c03BB0BeoPOf8vHKSx8f4yR3BIqYjQ=="
-    },
     "node_modules/walker": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/walker/-/walker-1.0.8.tgz",

package.json

@@ -118,8 +118,7 @@
     "react-router-dom": "6.23.1",
     "sanitize-filename": "1.6.3",
     "superagent": "^9.0.2",
-    "vitreum": "git+https://git@github.com/calculuschild/vitreum.git",
+    "vitreum": "git+https://git@github.com/calculuschild/vitreum.git"
-    "vue-html-secure": "^1.0.10"
   },
   "devDependencies": {
     "eslint": "^8.57.0",