sanitize display name and markdown codeblock.
This commit is contained in:
parent
b8531512b7
commit
b348f48092
@ -90,7 +90,7 @@ const rules: MarkdownRules = {
|
||||
}
|
||||
},
|
||||
html(node, output, state) {
|
||||
return htmlTag('pre', htmlTag('code', node.content, state), {}, state)
|
||||
return htmlTag('pre', htmlTag('code', md.sanitizeText(node.content), {}, state), {}, state)
|
||||
},
|
||||
},
|
||||
blockQuote: {
|
||||
|
@ -2,6 +2,7 @@ import { getterTree, mutationTree, actionTree } from 'typed-vuex'
|
||||
import { Member } from '~/neko/types'
|
||||
import { EVENT } from '~/neko/events'
|
||||
|
||||
import md from 'simple-markdown'
|
||||
import { accessor } from '~/store'
|
||||
|
||||
export const namespaced = true
|
||||
@ -40,6 +41,7 @@ export const mutations = mutationTree(state, {
|
||||
data[member.id] = {
|
||||
connected: true,
|
||||
...member,
|
||||
displayname: md.sanitizeText(member.displayname),
|
||||
}
|
||||
}
|
||||
state.members = data
|
||||
@ -48,16 +50,12 @@ export const mutations = mutationTree(state, {
|
||||
state.id = id
|
||||
},
|
||||
addMember(state, member: Member) {
|
||||
// remove html tags
|
||||
const tmp = document.createElement('div')
|
||||
tmp.innerHTML = member.displayname
|
||||
member.displayname = tmp.textContent || tmp.innerText || ''
|
||||
|
||||
state.members = {
|
||||
...state.members,
|
||||
[member.id]: {
|
||||
connected: true,
|
||||
...member,
|
||||
displayname: md.sanitizeText(member.displayname),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
@ -12,6 +12,7 @@
|
||||
### Misc
|
||||
- ARM-based images not bound to Raspberry Pi only.
|
||||
- Add japanese characters support.
|
||||
- Sanitize display name and markdown codeblock input to prevent xss.
|
||||
|
||||
## [n.eko v2.4](https://github.com/m1k1o/neko/releases/tag/v2.4)
|
||||
|
||||
|
Reference in New Issue
Block a user