diff --git a/client/src/components/markdown.ts b/client/src/components/markdown.ts index 7346774..d5c846a 100644 --- a/client/src/components/markdown.ts +++ b/client/src/components/markdown.ts @@ -90,7 +90,7 @@ const rules: MarkdownRules = { } }, html(node, output, state) { - return htmlTag('pre', htmlTag('code', node.content, state), {}, state) + return htmlTag('pre', htmlTag('code', md.sanitizeText(node.content), {}, state), {}, state) }, }, blockQuote: { diff --git a/client/src/store/user.ts b/client/src/store/user.ts index f9c5a57..3d7f81a 100644 --- a/client/src/store/user.ts +++ b/client/src/store/user.ts @@ -2,6 +2,7 @@ import { getterTree, mutationTree, actionTree } from 'typed-vuex' import { Member } from '~/neko/types' import { EVENT } from '~/neko/events' +import md from 'simple-markdown' import { accessor } from '~/store' export const namespaced = true @@ -40,6 +41,7 @@ export const mutations = mutationTree(state, { data[member.id] = { connected: true, ...member, + displayname: md.sanitizeText(member.displayname), } } state.members = data @@ -48,16 +50,12 @@ export const mutations = mutationTree(state, { state.id = id }, addMember(state, member: Member) { - // remove html tags - const tmp = document.createElement('div') - tmp.innerHTML = member.displayname - member.displayname = tmp.textContent || tmp.innerText || '' - state.members = { ...state.members, [member.id]: { connected: true, ...member, + displayname: md.sanitizeText(member.displayname), }, } }, diff --git a/docs/changelog.md b/docs/changelog.md index d9de432..192532f 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -12,6 +12,7 @@ ### Misc - ARM-based images not bound to Raspberry Pi only. - Add japanese characters support. +- Sanitize display name and markdown codeblock input to prevent xss. ## [n.eko v2.4](https://github.com/m1k1o/neko/releases/tag/v2.4)