use dompurify instead of sanitize-html

2020-02-10 00:40:23 +01:00
parent e72b2822b9
commit 1dfd75a193
5 changed files with 65 additions and 75 deletions
--- a/server/api/controller/event.js
+++ b/server/api/controller/event.js
@@ -5,6 +5,8 @@ const config = require('config')
 const fs = require('fs')
 const { Op } = require('sequelize')
 const _ = require('lodash')
+const helpers = require('../../helpers')
+
 const {
  event: Event,
  resource: Resource,
@@ -15,7 +17,6 @@ const {
 } = require('../models')
 const Sequelize = require('sequelize')
 const exportController = require('./export')
-const sanitizeHtml = require('sanitize-html')

 const debug = require('debug')('controller:event')

@@ -301,7 +302,7 @@ const eventController = {
      body.image_path = req.file.filename
    }

-    body.description = sanitizeHtml(body.description)
+    body.description = helpers.sanitizeHTML(body.description)

    await event.update(body)
    let place
--- a/server/federation/resources.js
+++ b/server/federation/resources.js
@@ -1,6 +1,7 @@
 const { event: Event, resource: Resource, ap_user: APUser } = require('../api/models')
 const debug = require('debug')('fediverse:resource')
-const sanitize = require('sanitize-html')
+const helpers = require('../helpers')
+
 module.exports = {

  // create a resource from AP Note
@@ -30,7 +31,7 @@ module.exports = {

    // TODO should probably map links here
    // clean resource
-    body.object.content = sanitize(body.object.content, {
+    body.object.content = helpers.sanitizeHTML(body.object.content, {
      nonTextTags: ['style', 'script', 'textarea', 'noscript']
    })

--- a/server/helpers.js
+++ b/server/helpers.js
@@ -4,7 +4,40 @@ const moment = require('moment-timezone')
 const config = require('config')
 const pkg = require('../package.json')

+const DOMPurify = require('dompurify')
+const { JSDOM } = require('jsdom')
+const { window } = new JSDOM('<!DOCTYPE html>')
+const domPurify = DOMPurify(window)
+const URL = require('url')
+
+domPurify.addHook('beforeSanitizeElements', node => {
+  if (node.hasAttribute && node.hasAttribute('href')) {
+    const href = node.getAttribute('href')
+    const text = node.textContent
+    if (href.includes('fbclid=')) {
+      try {
+        const url = new URL.URL(href)
+        url.searchParams.delete('fbclid')
+        node.setAttribute('href', url.href)
+        if (text.includes('fbclid=')) {
+          node.textContent = url.href
+        }
+      } catch (e) {
+        return node
+      }
+    }
+  }
+  return node
+})
+
 module.exports = {
+  sanitizeHTML (html) {
+    return domPurify.sanitize(html, {
+      ALLOWED_TAGS: ['p', 'h1', 'h2', 'h3', 'h4', 'h5',
+        'h6', 'b', 'a', 'li', 'ul', 'ol', 'code', 'blockquote', 'u', 's', 'strong'],
+      ALLOWED_ATTR: ['href']
+    })
+  },

  async initSettings (req, res, next) {
    await settingsController.load()