Archived
2
0

sanitize display name and markdown codeblock.

This commit is contained in:
Miroslav Šedivý 2021-11-26 21:52:24 +01:00
parent b8531512b7
commit b348f48092
3 changed files with 5 additions and 6 deletions

View File

@ -90,7 +90,7 @@ const rules: MarkdownRules = {
} }
}, },
html(node, output, state) { html(node, output, state) {
return htmlTag('pre', htmlTag('code', node.content, state), {}, state) return htmlTag('pre', htmlTag('code', md.sanitizeText(node.content), {}, state), {}, state)
}, },
}, },
blockQuote: { blockQuote: {

View File

@ -2,6 +2,7 @@ import { getterTree, mutationTree, actionTree } from 'typed-vuex'
import { Member } from '~/neko/types' import { Member } from '~/neko/types'
import { EVENT } from '~/neko/events' import { EVENT } from '~/neko/events'
import md from 'simple-markdown'
import { accessor } from '~/store' import { accessor } from '~/store'
export const namespaced = true export const namespaced = true
@ -40,6 +41,7 @@ export const mutations = mutationTree(state, {
data[member.id] = { data[member.id] = {
connected: true, connected: true,
...member, ...member,
displayname: md.sanitizeText(member.displayname),
} }
} }
state.members = data state.members = data
@ -48,16 +50,12 @@ export const mutations = mutationTree(state, {
state.id = id state.id = id
}, },
addMember(state, member: Member) { addMember(state, member: Member) {
// remove html tags
const tmp = document.createElement('div')
tmp.innerHTML = member.displayname
member.displayname = tmp.textContent || tmp.innerText || ''
state.members = { state.members = {
...state.members, ...state.members,
[member.id]: { [member.id]: {
connected: true, connected: true,
...member, ...member,
displayname: md.sanitizeText(member.displayname),
}, },
} }
}, },

View File

@ -12,6 +12,7 @@
### Misc ### Misc
- ARM-based images not bound to Raspberry Pi only. - ARM-based images not bound to Raspberry Pi only.
- Add japanese characters support. - Add japanese characters support.
- Sanitize display name and markdown codeblock input to prevent xss.
## [n.eko v2.4](https://github.com/m1k1o/neko/releases/tag/v2.4) ## [n.eko v2.4](https://github.com/m1k1o/neko/releases/tag/v2.4)