fix: sanitize html

2026-04-28 16:15:21 +00:00 · 2022-10-05 18:13:03 +03:00
parent c837afd075
commit f70d4c6bac
4 changed files with 25 additions and 10 deletions
--- a/src/main/frontend/components/block.cljs
+++ b/src/main/frontend/components/block.cljs
@@ -1543,7 +1543,7 @@

         ["Entity" e]
         [:span {:dangerouslySetInnerHTML
-                 {:__html (:html e)}}]
+                 {:__html (:html (security/sanitize-html e))}}]

         ["Latex_Fragment" [display s]] ;display can be "Displayed" or "Inline"
         (if html-export?
@@ -1573,18 +1573,20 @@
         ["Export_Snippet" "html" s]
         (when (not html-export?)
           [:span {:dangerouslySetInnerHTML
-                   {:__html s}}])
+                   {:__html (security/sanitize-html s)}}])

         ["Inline_Hiccup" s] ;; String to hiccup
         (ui/catch-error
          [:div.warning {:title "Invalid hiccup"} s]
-          (-> (safe-read-string s)
-              (security/remove-javascript-links-in-href)))
+          [:div.hiccup_html {:dangerouslySetInnerHTML
+                             {:__html (-> (safe-read-string s)
+                                          (rum/render-static-markup)
+                                          (security/sanitize-html))}}])

         ["Inline_Html" s]
         (when (not html-export?)
           ;; TODO: how to remove span and only export the content of `s`?
-           [:span {:dangerouslySetInnerHTML {:__html s}}])
+           [:span {:dangerouslySetInnerHTML {:__html (security/sanitize-html s)}}])

         [(:or "Break_Line" "Hard_Break_Line")]
         [:br]
@@ -3306,17 +3308,19 @@
      ["Raw_Html" content]
      (when (not html-export?)
        [:div.raw_html {:dangerouslySetInnerHTML
-                        {:__html content}}])
+                        {:__html (security/sanitize-html content)}}])
      ["Export" "html" _options content]
      (when (not html-export?)
        [:div.export_html {:dangerouslySetInnerHTML
-                           {:__html content}}])
+                           {:__html (security/sanitize-html content)}}])
      ["Hiccup" content]
      (ui/catch-error
       [:div.warning {:title "Invalid hiccup"}
        content]
-       (-> (safe-read-string content)
-           (security/remove-javascript-links-in-href)))
+       [:div.hiccup_html {:dangerouslySetInnerHTML
+                          {:__html (-> (safe-read-string content)
+                                       (rum/render-static-markup)
+                                       (security/sanitize-html))}}])

      ["Export" "latex" _options content]
      (if html-export?