fix(api): sanitize html for security

2026-04-24 22:25:01 +00:00 · 2021-10-08 17:02:58 +08:00
parent e1c39de9ce
commit c34c9184e2
3 changed files with 13 additions and 9 deletions
--- a/libs/src/LSPlugin.core.ts
+++ b/libs/src/LSPlugin.core.ts
@@ -244,13 +244,6 @@ function initProviderHandlers (pluginLocal: PluginLocal) {

  pluginLocal.on(_('ui'), (ui: UIOptions) => {
    pluginLocal._onHostMounted(() => {
-      // safe template
-      ui.template = DOMPurify.sanitize(
-        ui.template, {
-          ADD_TAGS: ['iframe'],
-          ALLOW_UNKNOWN_PROTOCOLS: true,
-          ADD_ATTR: ['allow', 'src', 'allowfullscreen', 'frameborder', 'scrolling']
-        })

      pluginLocal._dispose(
        setupInjectedUI.call(pluginLocal,
--- a/libs/src/helpers.ts
+++ b/libs/src/helpers.ts
@@ -2,6 +2,7 @@ import { StyleString, UIOptions } from './LSPlugin'
 import { PluginLocal } from './LSPlugin.core'
 import { snakeCase } from 'snake-case'
 import * as nodePath from 'path'
+import DOMPurify from 'dompurify'

 interface IObject {
  [key: string]: any;
@@ -255,6 +256,16 @@ export function setupInjectedUI (

  let el = document.querySelector(`#${id}`) as HTMLElement

+  if (ui.template) {
+    // safe template
+    ui.template = DOMPurify.sanitize(
+      ui.template, {
+        ADD_TAGS: ['iframe'],
+        ALLOW_UNKNOWN_PROTOCOLS: true,
+        ADD_ATTR: ['allow', 'src', 'allowfullscreen', 'frameborder', 'scrolling']
+      })
+  }
+
  if (el) {
    el.innerHTML = ui.template
    return
--- a/resources/js/lsplugin.core.js
+++ b/resources/js/lsplugin.core.js