Remove xss attack; closes #1443 at least partially

2025-12-13 09:46:22 +00:00 · 2018-03-04 17:27:58 +01:00
parent 6bcb6398f8
commit 9344fd78d8
3 changed files with 35 additions and 0 deletions
--- a/browser/lib/markdown.js
+++ b/browser/lib/markdown.js
@@ -1,4 +1,5 @@
 import markdownit from 'markdown-it'
+import sanitize from './markdown-it-sanitize-html'
 import emoji from 'markdown-it-emoji'
 import math from '@rokt33r/markdown-it-math'
 import _ from 'lodash'
@@ -46,6 +47,16 @@ var md = markdownit({
      '</code></pre>'
  }
 })
+// Sanitize use rinput before other plugins
+md.use(sanitize, {
+  allowedTags: ['img', 'iframe'],
+  allowedAttributes: {
+    '*': ['alt', 'style'],
+    'img': ['src', 'height', 'width'],
+    'iframe': ['src']
+  },
+  allowedIframeHostnames: ['www.youtube.com']
+})
 md.use(emoji, {
  shortcuts: {}
 })