aboutsummaryrefslogtreecommitdiff
path: root/src/services
diff options
context:
space:
mode:
authorHJ <30-hj@users.noreply.git.pleroma.social>2022-11-26 22:17:18 +0000
committerHJ <30-hj@users.noreply.git.pleroma.social>2022-11-26 22:17:18 +0000
commit6175a153ed4e5eb30fd4b5d5f6b3fff34a81a89c (patch)
tree393ea8ce9ba98a6d1eeb4555d052fc90c133befc /src/services
parent045a222183ac47b48e14e1639e7107aa0bffb015 (diff)
parent74813864fcbd513a5782b739055f132c68e6eca7 (diff)
Merge branch 'shout-float-fix' into 'develop'
Fix HTML exploit of the day (shout-float in rich media) See merge request pleroma/pleroma-fe!1689
Diffstat (limited to 'src/services')
-rw-r--r--src/services/html_converter/utility.service.js12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/services/html_converter/utility.service.js b/src/services/html_converter/utility.service.js
index 583ccca5..f1042971 100644
--- a/src/services/html_converter/utility.service.js
+++ b/src/services/html_converter/utility.service.js
@@ -16,7 +16,7 @@ export const getTagName = (tag) => {
* @return {Object} - map of attributes key = attribute name, value = attribute value
* attributes without values represented as boolean true
*/
-export const getAttrs = tag => {
+export const getAttrs = (tag, filter) => {
const innertag = tag
.substring(1, tag.length - 1)
.replace(new RegExp('^' + getTagName(tag)), '')
@@ -28,7 +28,15 @@ export const getAttrs = tag => {
if (!v) return [k, true]
return [k, v.substring(1, v.length - 1)]
})
- return Object.fromEntries(attrs)
+ const defaultFilter = ([k, v]) => {
+ const attrKey = k.toLowerCase()
+ if (attrKey === 'style') return false
+ if (attrKey === 'class') {
+ return v === 'greentext' || v === 'cyantext'
+ }
+ return true
+ }
+ return Object.fromEntries(attrs.filter(filter || defaultFilter))
}
/**
generated by cgit v1.2.3-70-g09d2 (git 2.52.0) at 2025-12-08 23:48:26 +0000