mirror of
https://github.com/SPLURT-Station/S.P.L.U.R.T-Station-13.git
synced 2025-12-09 16:07:40 +00:00
Exploit fixes for pappah
This commit is contained in:
Artur
@@ -9,24 +9,36 @@
|
||||
import { Tabs, Box, Flex, Button, TextArea } from '../components';
|
||||
import { useBackend, useSharedState, useLocalState } from '../backend';
|
||||
import { Window } from '../layouts';
|
||||
// import marked from 'marked';
|
||||
import marked from 'marked';
|
||||
import DOMPurify from 'dompurify';
|
||||
// There is a sanatize option in marked but they say its deprecated.
|
||||
// Might as well use a proper one then
|
||||
|
||||
import { createLogger } from '../logging';
|
||||
import { Fragment } from 'inferno';
|
||||
|
||||
const logger = createLogger('PaperSheet');
|
||||
|
||||
const walkTokens = token => {
|
||||
switch (token.type) {
|
||||
case 'link':
|
||||
case 'image':
|
||||
token.type = 'text';
|
||||
// Once asset system is up change to some default image
|
||||
// or rewrite for icon images
|
||||
token.href = "";
|
||||
break;
|
||||
}
|
||||
};
|
||||
|
||||
const run_marked_default = value => {
|
||||
const sanitizer = DOMPurify.sanitize;
|
||||
// too much?
|
||||
// return sanitizer(marked(sanitizer(value),
|
||||
// { breaks: true, smartypants: true });
|
||||
return sanitizer(marked(value,
|
||||
{ breaks: true, smartypants: true }));
|
||||
const clean = DOMPurify.sanitize(value);
|
||||
return marked(clean,
|
||||
{ breaks: true,
|
||||
smartypants: true,
|
||||
smartLists: true,
|
||||
walkTokens: walkTokens,
|
||||
// Once assets are fixed might need to change this for them
|
||||
baseUrl: "thisshouldbreakhttp",
|
||||
});
|
||||
};
|
||||
|
||||
const PaperSheetView = (props, context) => {
|
||||
@@ -45,6 +57,7 @@ const PaperSheetView = (props, context) => {
|
||||
{ __html: run_marked_default(value) });
|
||||
return (
|
||||
<Box
|
||||
opacity={1}
|
||||
backgroundColor={paper_color}
|
||||
color={pen_color}
|
||||
{...rest}
|
||||
@@ -106,7 +119,7 @@ const PaperSheetEdit = (props, context) => {
|
||||
|| previewSelected === "save"}
|
||||
onClick={() => {
|
||||
if (previewSelected === "confirm") {
|
||||
act('save', { text });
|
||||
act('save', { text: DOMPurify.sanitize(text) });
|
||||
} else {
|
||||
setPreviewSelected("confirm");
|
||||
}
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
"webpack-build-notifier": "^2.0.0",
|
||||
"webpack-bundle-analyzer": "^3.5.1",
|
||||
"webpack-cli": "^3.3.9",
|
||||
"marked": "^1.0.0",
|
||||
"marked": "^1.1.0",
|
||||
"dompurify": "^2.0.11"
|
||||
}
|
||||
}
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -8,7 +8,7 @@
|
||||
@use 'sass:meta';
|
||||
|
||||
@use '../colors.scss' with (
|
||||
$primary: #000000,
|
||||
$primary: #ffffff,
|
||||
$fg-map-keys: (),
|
||||
$bg-map-keys: (),
|
||||
);
|
||||
@@ -49,12 +49,4 @@
|
||||
background-image: none;
|
||||
}
|
||||
|
||||
.code {
|
||||
font-family: Consolas,"courier new";
|
||||
color: black;
|
||||
background-color: #f1f1f1;
|
||||
padding: 2px;
|
||||
font-size: 85%;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -2147,16 +2147,16 @@ domelementtype@1:
|
||||
resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.3.1.tgz#d048c44b37b0d10a7f2a3d5fee3f4333d790481f"
|
||||
integrity sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w==
|
||||
|
||||
dompurify@^2.0.11:
|
||||
version "2.0.11"
|
||||
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.11.tgz#cd47935774230c5e478b183a572e726300b3891d"
|
||||
integrity sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA==
|
||||
|
||||
domelementtype@^2.0.1:
|
||||
version "2.0.1"
|
||||
resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-2.0.1.tgz#1f8bdfe91f5a78063274e803b4bdcedf6e94f94d"
|
||||
integrity sha512-5HOHUDsYZWV8FGWN0Njbr/Rn7f/eWSQi1v7+HsUVwXgn8nWWlL64zKDkS0n8ZmQ3mlWOMuXOnR+7Nx/5tMO5AQ==
|
||||
|
||||
dompurify@^2.0.11:
|
||||
version "2.0.11"
|
||||
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.11.tgz#cd47935774230c5e478b183a572e726300b3891d"
|
||||
integrity sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA==
|
||||
|
||||
domutils@^1.7.0:
|
||||
version "1.7.0"
|
||||
resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"
|
||||
@@ -3787,7 +3787,7 @@ map-visit@^1.0.0:
|
||||
dependencies:
|
||||
object-visit "^1.0.0"
|
||||
|
||||
marked@^1.0.0:
|
||||
marked@^1.1.0:
|
||||
version "1.1.0"
|
||||
resolved "https://registry.yarnpkg.com/marked/-/marked-1.1.0.tgz#62504ad4d11550c942935ccc5e39d64e5a4c4e50"
|
||||
integrity sha512-EkE7RW6KcXfMHy2PA7Jg0YJE1l8UPEZE8k45tylzmZM30/r1M1MUXWQfJlrSbsTeh7m/XTwHbWUENvAJZpp1YA==
|
||||
|
||||
Reference in New Issue
Block a user