Merge pull request #816 from jellyfin/sane-html

feat(htmlhelper): unescape the input and strip all tags except br
2025-03-03 11:17:22 +00:00 · 2021-03-02 12:55:17 +01:00 · 2021-03-02 12:55:17 +01:00 · bf35af5526
commit bf35af5526
parent 27f84cab5a 2ddb650d88
3 changed files with 13 additions and 2 deletions
--- a/mixins/htmlHelper.ts
+++ b/mixins/htmlHelper.ts
@ -5,6 +5,7 @@
 */
 import Vue from 'vue';
 import DOMPurify from 'dompurify';
+import { decode } from 'he';

 declare module '@nuxt/types' {
  interface Context {
@ -32,8 +33,11 @@ const htmlHelper = Vue.extend({
     */
    sanitizeHtml(input: string): string {
      // Some providers have newlines, replace them with the proper tag.
-      let cleanString = input.replace(/(?:\r\n|\r|\n)/g, '<br>');
-      cleanString = DOMPurify.sanitize(cleanString);
+      let cleanString = decode(input).replace(/(?:\r\n|\r|\n)/g, '<br>');
+      cleanString = DOMPurify.sanitize(cleanString, {
+        ALLOWED_TAGS: ['br', 'b', 'strong', 'i', 'em'],
+        KEEP_CONTENT: true
+      });
      return cleanString;
    }
  }
--- a/package.json
+++ b/package.json
@ -38,6 +38,7 @@
    "date-fns": "^2.18.0",
    "dompurify": "^2.2.6",
    "entities": "^2.2.0",
+    "he": "^1.2.0",
    "js-cookie": "^2.2.1",
    "langs": "^2.0.0",
    "lodash": "^4.17.20",
@ -72,6 +73,7 @@
    "@nuxtjs/vuetify": "^1.11.3",
    "@types/cookie": "^0.4.0",
    "@types/dompurify": "^2.2.1",
+    "@types/he": "^1.1.1",
    "@types/jest": "^26.0.20",
    "@types/js-cookie": "^2.2.6",
    "@types/lodash": "^4.14.168",
--- a/yarn.lock
+++ b/yarn.lock
@ -2150,6 +2150,11 @@
  dependencies:
    "@types/node" "*"

+"@types/he@^1.1.1":
+  version "1.1.1"
+  resolved "https://registry.npmjs.org/@types/he/-/he-1.1.1.tgz#19e14033c4ee8f1a702c74dcc6182664839ac2b7"
+  integrity sha512-jpzrsR1ns0n3kyWt92QfOUQhIuJGQ9+QGa7M62rO6toe98woQjnsnzjdMtsQXCdvjjmqjS2ZBCC7xKw0cdzU+Q==
+
 "@types/html-minifier-terser@^5.0.0":
  version "5.1.1"
  resolved "https://registry.npmjs.org/@types/html-minifier-terser/-/html-minifier-terser-5.1.1.tgz#3c9ee980f1a10d6021ae6632ca3e79ca2ec4fb50"