From f06a7ffe55dbc38e8d5dc02cc9884772b022a28d Mon Sep 17 00:00:00 2001 From: Kibi Kelburton Date: Fri, 12 Jun 2026 03:02:00 +0200 Subject: [PATCH] less aggressive html sanitize --- views/about.html | 19 ++++++++++++++----- views/rules.html | 19 ++++++++++++++----- views/terms.html | 19 ++++++++++++++----- 3 files changed, 42 insertions(+), 15 deletions(-) diff --git a/views/about.html b/views/about.html index d7773f3..cc9ea87 100644 --- a/views/about.html +++ b/views/about.html @@ -12,6 +12,19 @@ function escapeHtml(str) { return str.replace(/&/g,'&').replace(//g,'>').replace(/"/g,'"').replace(/'/g,'''); } + function sanitizeHtml(html) { + var tmp = document.createElement('div'); + tmp.innerHTML = html; + tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); }); + tmp.querySelectorAll('*').forEach(function(node) { + Array.from(node.attributes).forEach(function(attr) { + if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) { + node.removeAttribute(attr.name); + } + }); + }); + return tmp.innerHTML; + } function render() { if (raw && el && typeof marked !== 'undefined') { var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); }); @@ -26,11 +39,7 @@ var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code); return '' + escaped + ''; }; - renderer.html = function(html) { - var content = typeof html === 'object' ? (html.text || '') : html; - return escapeHtml(content); - }; - el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer }); + el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer })); } } if (typeof marked !== 'undefined') { diff --git a/views/rules.html b/views/rules.html index 44e01e8..1201a1d 100644 --- a/views/rules.html +++ b/views/rules.html @@ -12,6 +12,19 @@ function escapeHtml(str) { return str.replace(/&/g,'&').replace(//g,'>').replace(/"/g,'"').replace(/'/g,'''); } + function sanitizeHtml(html) { + var tmp = document.createElement('div'); + tmp.innerHTML = html; + tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); }); + tmp.querySelectorAll('*').forEach(function(node) { + Array.from(node.attributes).forEach(function(attr) { + if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) { + node.removeAttribute(attr.name); + } + }); + }); + return tmp.innerHTML; + } function render() { if (raw && el && typeof marked !== 'undefined') { var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); }); @@ -26,11 +39,7 @@ var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code); return '' + escaped + ''; }; - renderer.html = function(html) { - var content = typeof html === 'object' ? (html.text || '') : html; - return escapeHtml(content); - }; - el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer }); + el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer })); } } if (typeof marked !== 'undefined') { diff --git a/views/terms.html b/views/terms.html index 30f3df1..8bc6cad 100644 --- a/views/terms.html +++ b/views/terms.html @@ -12,6 +12,19 @@ function escapeHtml(str) { return str.replace(/&/g,'&').replace(//g,'>').replace(/"/g,'"').replace(/'/g,'''); } + function sanitizeHtml(html) { + var tmp = document.createElement('div'); + tmp.innerHTML = html; + tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); }); + tmp.querySelectorAll('*').forEach(function(node) { + Array.from(node.attributes).forEach(function(attr) { + if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) { + node.removeAttribute(attr.name); + } + }); + }); + return tmp.innerHTML; + } function render() { if (raw && el && typeof marked !== 'undefined') { var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); }); @@ -26,11 +39,7 @@ var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code); return '' + escaped + ''; }; - renderer.html = function(html) { - var content = typeof html === 'object' ? (html.text || '') : html; - return escapeHtml(content); - }; - el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer }); + el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer })); } } if (typeof marked !== 'undefined') {