Security: add DOM-purification, add 'norefferer' and 'noopener' automatically to links to new tabs

2023-09-20 23:05:08 +02:00 · 2023-09-20 23:05:08 +02:00 · 3a77c6f33e
commit 3a77c6f33e
parent 9252aafa2d
5 changed files with 71 additions and 13 deletions
--- a/src/Utils.ts
+++ b/src/Utils.ts
@ -1,4 +1,5 @@
 import colors from "./assets/colors.json"
+import DOMPurify from "dompurify"

 export class Utils {
    /**
@ -25,6 +26,16 @@ Note that these values can be prepare with javascript in the theme by using a [c
 `
    public static readonly imageExtensions = new Set(["jpg", "png", "svg", "jpeg", ".gif"])

+    public static initDomPurify() {
+        DOMPurify.addHook("afterSanitizeAttributes", function (node) {
+            // set all elements owning target to target=_blank + add noopener noreferrer
+            if ("target" in node) {
+                node.setAttribute("target", "_blank")
+                node.setAttribute("rel", "noopener noreferrer")
+            }
+        })
+    }
+
    public static readonly special_visualizations_importRequirementDocs = `#### Importing a dataset into OpenStreetMap: requirements

 If you want to import a dataset, make sure that: