Security: purify inputs around innerHTML-usage, remove some unused parameters and classes

2023-09-21 01:53:34 +02:00 · 2023-09-21 01:53:34 +02:00 · fcea3da70f
commit fcea3da70f
parent e0ee3edf71
15 changed files with 44 additions and 127 deletions
--- a/src/UI/Base/FromHtml.svelte
+++ b/src/UI/Base/FromHtml.svelte
@ -2,18 +2,14 @@
  /**
   * Given an HTML string, properly shows this
   */
-  import DOMPurify from 'dompurify';
+  import { Utils } from "../../Utils";
+
  export let src: string
-  
-  let cleaned = DOMPurify.sanitize(src, { USE_PROFILES: { html: true }, 
-    ADD_ATTR: ['target']  // Don't remove target='_blank'. Note that Utils.initDomPurify does add a hook which automatically adds 'rel=noopener'
-  });
-  
-  
+
  let htmlElem: HTMLElement
  $: {
    if (htmlElem) {
-      htmlElem.innerHTML = cleaned
+      htmlElem.innerHTML = Utils.purify(src)
    }
  }