Exploit fixes for pappah

2025-12-09 16:07:40 +00:00 · 2020-05-29 18:23:33 +03:00
parent 7faa0cb5fc
commit a6d7a33669
7 changed files with 34 additions and 29 deletions
--- a/code/modules/paperwork/paper.dm
+++ b/code/modules/paperwork/paper.dm
@@ -188,7 +188,7 @@
 			return

 		var/datum/asset/spritesheet/sheet = get_asset_datum(/datum/asset/spritesheet/simple/paper)
-		if (isnull(stamps))
+		if(isnull(stamps))
 			stamps = sheet.css_tag()
 		stamps += sheet.icon_tag(P.icon_state)
 		var/mutable_appearance/stampoverlay = mutable_appearance('icons/obj/bureaucracy.dmi', "paper_[P.icon_state]")
--- a/tgui/packages/tgui/interfaces/PaperSheet.js
+++ b/tgui/packages/tgui/interfaces/PaperSheet.js
@@ -9,24 +9,36 @@
 import { Tabs, Box, Flex, Button, TextArea } from '../components';
 import { useBackend, useSharedState, useLocalState } from '../backend';
 import { Window } from '../layouts';
-// import marked from 'marked';
 import marked from 'marked';
 import DOMPurify from 'dompurify';
 // There is a sanatize option in marked but they say its deprecated.
 // Might as well use a proper one then
-
 import { createLogger } from '../logging';
 import { Fragment } from 'inferno';
-
 const logger = createLogger('PaperSheet');

+const walkTokens = token => {
+  switch (token.type) {
+    case 'link':
+    case 'image':
+      token.type = 'text';
+      // Once asset system is up change to some default image
+      // or rewrite for icon images
+      token.href = "";
+      break;
+  }
+};
+
 const run_marked_default = value => {
-  const sanitizer = DOMPurify.sanitize;
-  // too much?
-  // return sanitizer(marked(sanitizer(value),
-  //   { breaks: true, smartypants: true });
-  return sanitizer(marked(value,
-    { breaks: true, smartypants: true }));
+  const clean = DOMPurify.sanitize(value);
+  return marked(clean,
+    { breaks: true,
+      smartypants: true,
+      smartLists: true,
+      walkTokens: walkTokens,
+      // Once assets are fixed might need to change this for them
+      baseUrl: "thisshouldbreakhttp",
+    });
 };

 const PaperSheetView = (props, context) => {
@@ -45,6 +57,7 @@ const PaperSheetView = (props, context) => {
    { __html: run_marked_default(value) });
  return (
    <Box
+      opacity={1}
      backgroundColor={paper_color}
      color={pen_color}
      {...rest}
@@ -106,7 +119,7 @@ const PaperSheetEdit = (props, context) => {
              || previewSelected === "save"}
            onClick={() => {
              if (previewSelected === "confirm") {
-                act('save', { text });
+                act('save', { text: DOMPurify.sanitize(text) });
              } else {
                setPreviewSelected("confirm");
              }
--- a/tgui/packages/tgui/package.json
+++ b/tgui/packages/tgui/package.json
@@ -27,7 +27,7 @@
    "webpack-build-notifier": "^2.0.0",
    "webpack-bundle-analyzer": "^3.5.1",
    "webpack-cli": "^3.3.9",
-    "marked": "^1.0.0",
+    "marked": "^1.1.0",
    "dompurify": "^2.0.11"
  }
 }
--- a/tgui/packages/tgui/public/tgui.bundle.css
+++ b/tgui/packages/tgui/public/tgui.bundle.css
--- a/tgui/packages/tgui/public/tgui.bundle.js
+++ b/tgui/packages/tgui/public/tgui.bundle.js
--- a/tgui/packages/tgui/styles/themes/paper.scss
+++ b/tgui/packages/tgui/styles/themes/paper.scss
@@ -8,7 +8,7 @@
 @use 'sass:meta';

 @use '../colors.scss' with (
-   $primary: #000000,
+   $primary: #ffffff,
   $fg-map-keys: (),
   $bg-map-keys: (),
 );
@@ -49,12 +49,4 @@
     background-image: none;
   }

- .code {
-   font-family: Consolas,"courier new";
-   color: black;
-   background-color: #f1f1f1;
-   padding: 2px;
-   font-size: 85%;
- }
-
 }
--- a/tgui/yarn.lock
+++ b/tgui/yarn.lock
@@ -2147,16 +2147,16 @@ domelementtype@1:
  resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.3.1.tgz#d048c44b37b0d10a7f2a3d5fee3f4333d790481f"
  integrity sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w==

-dompurify@^2.0.11:
-  version "2.0.11"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.11.tgz#cd47935774230c5e478b183a572e726300b3891d"
-  integrity sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA==
-
 domelementtype@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-2.0.1.tgz#1f8bdfe91f5a78063274e803b4bdcedf6e94f94d"
  integrity sha512-5HOHUDsYZWV8FGWN0Njbr/Rn7f/eWSQi1v7+HsUVwXgn8nWWlL64zKDkS0n8ZmQ3mlWOMuXOnR+7Nx/5tMO5AQ==

+dompurify@^2.0.11:
+  version "2.0.11"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.11.tgz#cd47935774230c5e478b183a572e726300b3891d"
+  integrity sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA==
+
 domutils@^1.7.0:
  version "1.7.0"
  resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"
@@ -3787,7 +3787,7 @@ map-visit@^1.0.0:
  dependencies:
    object-visit "^1.0.0"

-marked@^1.0.0:
+marked@^1.1.0:
  version "1.1.0"
  resolved "https://registry.yarnpkg.com/marked/-/marked-1.1.0.tgz#62504ad4d11550c942935ccc5e39d64e5a4c4e50"
  integrity sha512-EkE7RW6KcXfMHy2PA7Jg0YJE1l8UPEZE8k45tylzmZM30/r1M1MUXWQfJlrSbsTeh7m/XTwHbWUENvAJZpp1YA==