imterah/element-portable
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Silence sanitize-html warning (#10334)

Browse source
This commit is contained in:
Michael Telatynski 2023-03-09 09:08:42 +00:00 committed by GitHub
parent cef821c21b
commit 01d7b795ab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/utils/Reply.ts
View file

@ -44,7 +44,7 @@ export function stripPlainReply(body: string): string {
return lines.join("\n"); return lines.join("\n");
} }
// Part of Replies fallback support // Part of Replies fallback support - MUST NOT BE RENDERED DIRECTLY - UNSAFE HTML
export function stripHTMLReply(html: string): string { export function stripHTMLReply(html: string): string {
// Sanitize the original HTML for inclusion in <mx-reply>. We allow // Sanitize the original HTML for inclusion in <mx-reply>. We allow
// any HTML, since the original sender could use special tags that we // any HTML, since the original sender could use special tags that we
@ -56,6 +56,7 @@ export function stripHTMLReply(html: string): string {
return sanitizeHtml(html, { return sanitizeHtml(html, {
allowedTags: false, // false means allow everything allowedTags: false, // false means allow everything
allowedAttributes: false, allowedAttributes: false,
allowVulnerableTags: false, // silence xss warning, we won't be rendering directly this, so it is safe to do
// we somehow can't allow all schemes, so we allow all that we // we somehow can't allow all schemes, so we allow all that we
// know of and mxc (for img tags) // know of and mxc (for img tags)
allowedSchemes: [...PERMITTED_URL_SCHEMES, "mxc"], allowedSchemes: [...PERMITTED_URL_SCHEMES, "mxc"],