From 4a3c845eca7f7387122824e0a49bc046c5395636 Mon Sep 17 00:00:00 2001 From: David Larlet Date: Sat, 20 May 2023 09:56:18 -0400 Subject: [PATCH] Handle iframes and target attribute with dompurify --- umap/static/umap/js/umap.core.js | 4 +++- umap/static/umap/test/Util.js | 30 +++++++++++++++--------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/umap/static/umap/js/umap.core.js b/umap/static/umap/js/umap.core.js index 66f23061..4e0be38a 100644 --- a/umap/static/umap/js/umap.core.js +++ b/umap/static/umap/js/umap.core.js @@ -46,6 +46,7 @@ L.Util.escapeHTML = (s) => { s = s ? s.toString() : '' s = DOMPurify.sanitize(s, { USE_PROFILES: { html: true }, + ADD_TAGS: ['iframe'], ALLOWED_TAGS: [ 'h3', 'h4', @@ -61,7 +62,8 @@ L.Util.escapeHTML = (s) => { 'img', 'br', ], - ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'], + ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'], + ALLOWED_ATTR: ['href', 'src', 'width', 'height'], }) return s } diff --git a/umap/static/umap/test/Util.js b/umap/static/umap/test/Util.js index 836be108..f6e9382d 100644 --- a/umap/static/umap/test/Util.js +++ b/umap/static/umap/test/Util.js @@ -38,49 +38,49 @@ describe('L.Util', function () { it('should handle links without formatting', function () { assert.equal( L.Util.toHTML('A simple http://osm.org link'), - 'A simple http://osm.org link' + 'A simple http://osm.org link' ) }) it('should handle simple link in title', function () { assert.equal( L.Util.toHTML('# http://osm.org'), - '

http://osm.org

' + '

http://osm.org

' ) }) it('should handle links with url parameter', function () { assert.equal( L.Util.toHTML('A simple https://osm.org/?url=https%3A//anotherurl.com link'), - 'A simple https://osm.org/?url=https%3A//anotherurl.com link' + 'A simple https://osm.org/?url=https%3A//anotherurl.com link' ) }) it('should handle simple link inside parenthesis', function () { assert.equal( L.Util.toHTML('A simple link (http://osm.org)'), - 'A simple link (http://osm.org)' + 'A simple link (http://osm.org)' ) }) it('should handle simple link with formatting', function () { assert.equal( L.Util.toHTML('A simple [[http://osm.org]] link'), - 'A simple http://osm.org link' + 'A simple http://osm.org link' ) }) it('should handle simple link with formatting and content', function () { assert.equal( L.Util.toHTML('A simple [[http://osm.org|link]]'), - 'A simple link' + 'A simple link' ) }) it('should handle simple link followed by a carriage return', function () { assert.equal( L.Util.toHTML('A simple link http://osm.org\nAnother line'), - 'A simple link http://osm.org
\nAnother line' + 'A simple link http://osm.org
\nAnother line' ) }) @@ -108,28 +108,28 @@ describe('L.Util', function () { it('should handle iframe', function () { assert.equal( L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html}}}'), - 'A simple iframe:
' + 'A simple iframe:
' ) }) it('should handle iframe with height', function () { assert.equal( L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200}}}'), - 'A simple iframe:
' + 'A simple iframe:
' ) }) it('should handle iframe with height and width', function () { assert.equal( L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200*400}}}'), - 'A simple iframe:
' + 'A simple iframe:
' ) }) it('should handle iframe with height with px', function () { assert.equal( L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200px}}}'), - 'A simple iframe:
' + 'A simple iframe:
' ) }) @@ -138,7 +138,7 @@ describe('L.Util', function () { L.Util.toHTML( 'A simple iframe: {{{https://osm.org/?url=https%3A//anotherurl.com}}}' ), - 'A simple iframe:
' + 'A simple iframe:
' ) }) @@ -147,7 +147,7 @@ describe('L.Util', function () { L.Util.toHTML( 'A double iframe: {{{https://osm.org/pouet}}}{{{https://osm.org/boudin}}}' ), - 'A double iframe:
' + 'A double iframe:
' ) }) @@ -156,14 +156,14 @@ describe('L.Util', function () { L.Util.toHTML( 'A phrase with a [[http://iframeurl.com?to=http://another.com]].' ), - 'A phrase with a http://iframeurl.com?to=http://another.com.' + 'A phrase with a http://iframeurl.com?to=http://another.com.' ) }) }) describe('#escapeHTML', function () { it('should escape HTML tags', function () { - assert.equal(L.Util.escapeHTML(''), '<a href="pouet">') + assert.equal(L.Util.escapeHTML(''), '') }) it('should not fail with int value', function () {