Mizah/Sharkey
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sanitise some admin-controlled HTML #406

Browse source 
this protects from rogue admins injecting bad HTML in
rules/descriptions
This commit is contained in:
dakkar 2024-02-09 12:19:19 +00:00
parent 34b4646b9f
commit b029738ec0
3 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
packages/frontend/src/components/MkVisitorDashboard.vue
View file

@ -16,7 +16,7 @@ SPDX-License-Identifier: AGPL-3.0-only
</h1>
<div :class="$style.mainAbout">
<!-- eslint-disable-next-line vue/no-v-html -->
<div v-html="meta.description || i18n.ts.headlineMisskey"></div>
<div v-html="sanitizeHtml(meta.description) || i18n.ts.headlineMisskey"></div>
</div>
<div v-if="instance.disableRegistration" :class="$style.mainWarn">
<MkInfo warn>{{ i18n.ts.invitationRequiredToRegister }}</MkInfo>
@ -56,6 +56,7 @@ SPDX-License-Identifier: AGPL-3.0-only
<script lang="ts" setup>
import { ref } from 'vue';
import * as Misskey from 'misskey-js';
import sanitizeHtml from 'sanitize-html';
import XSigninDialog from '@/components/MkSigninDialog.vue';
import XSignupDialog from '@/components/MkSignupDialog.vue';
import MkButton from '@/components/MkButton.vue';