Security: add DOM-purification, add 'norefferer' and 'noopener' automatically to links to new tabs

2023-09-20 23:05:08 +02:00 · 2023-09-20 23:05:08 +02:00 · 3a77c6f33e
commit 3a77c6f33e
parent 9252aafa2d
5 changed files with 71 additions and 13 deletions
--- a/src/UI/Base/FromHtml.svelte
+++ b/src/UI/Base/FromHtml.svelte
@ -2,12 +2,18 @@
  /**
   * Given an HTML string, properly shows this
   */
-
+  import DOMPurify from 'dompurify';
  export let src: string
+  
+  let cleaned = DOMPurify.sanitize(src, { USE_PROFILES: { html: true }, 
+    ADD_ATTR: ['target']  // Don't remove target='_blank'. Note that Utils.initDomPurify does add a hook which automatically adds 'rel=noopener'
+  });
+  
+  
  let htmlElem: HTMLElement
  $: {
    if (htmlElem) {
-      htmlElem.innerHTML = src
+      htmlElem.innerHTML = cleaned
    }
  }