Change BB link. Xss sanitize (#504)

baking-bad · Nov 30, 2022 · f5d7342 · f5d7342
1 parent de074a5
commit f5d7342
Show file tree

Hide file tree

Showing 13 changed files with 91 additions and 22,821 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -42,6 +42,7 @@
     "vue-json-pretty": "^1.7.1",
     "vue-meta": "^2.4.0",
     "vue-router": "^3.1.6",
+    "vue-sanitize": "^0.2.2",
     "vue-virtual-scroll-list": "^1.4.6",
     "vue2-dropzone": "^3.6.0",
     "vuedraggable": "^2.24.3",

diff --git a/src/components/SearchBox.vue b/src/components/SearchBox.vue
@@ -122,7 +122,7 @@
               ].includes(item.body.found_by) &&
               item.highlights[item.body.found_by]
             "
-            v-html="sanitizeHtml(item.highlights[item.body.found_by][0])"
+            v-html="sanitize(item.highlights[item.body.found_by][0])"
           ></span>
         </v-list-item-action-text>
         <v-list-item-action-text>
@@ -156,7 +156,6 @@ import {
 } from "@/utils/history.js";
 import {SEARCH_TABS} from "../constants/searchTabs";
 import waitUntil from "async-wait-until";
-import sanitizeHtml from 'sanitize-html';
 import Shortcut from '@/components/Shortcut.vue';
 
 export default {
@@ -194,7 +193,6 @@ export default {
   },
   methods: {
     ...mapActions(["showError"]),
-    sanitizeHtml,
     handleSearchBoxFocus() {
       this.isFocused = true;
     },

diff --git a/src/main.js b/src/main.js
@@ -8,7 +8,8 @@ import store from '@/store'
 import { newRouter } from '@/router/index.js'
 
 import VueGtag from "vue-gtag";
-import VueMeta from 'vue-meta'
+import VueMeta from 'vue-meta';
+import VueSanitize from "vue-sanitize";
 
 import * as Sentry from "@sentry/vue";
 import { BrowserTracing } from "@sentry/tracing";
@@ -50,9 +51,10 @@ Vue.config.productionTip = false;
 dayjs.extend(relativeTime);
 dayjs.extend(utc);
 
-Vue.use(PortalVue)
+Vue.use(PortalVue);
 
 Vue.use(Clipboard);
+Vue.use(VueSanitize);
 
 Vue.filter('numberToCompactSIFormat', function (value, decimals) {
   let num = Number(value);

diff --git a/src/views/contract/TokensTab/TokensTab.vue b/src/views/contract/TokensTab/TokensTab.vue
@@ -159,7 +159,12 @@ export default {
         return '';
       }
 
-      return `${this.config.IPFS_NODE}/ipfs/${url.replace('ipfs://', '')}`
+      let result = `${this.config.IPFS_NODE}/ipfs/${url.replace('ipfs://', '')}`;
+      try {
+        return new URL(result).toString();
+      } catch (_) {
+        return '';
+      }
     },
     getHeaderClass(metadata) {
       if (metadata === null) return 'item-header-failed';

diff --git a/src/views/contract/TypeDef.vue b/src/views/contract/TypeDef.vue
@@ -13,7 +13,6 @@
 </template>
 
 <script>
-import sanitizeHtml from 'sanitize-html';
 
 export default {
   name: "TypeDef",
@@ -23,7 +22,7 @@ export default {
   },
   methods: {
     highlightType(expr) {
-      return sanitizeHtml(expr.replace(/(\$\w+)/g, '<span class="accent--text">$1</span>'));
+      return this.$sanitize(expr.replace(/(\$\w+)/g, '<span class="accent--text">$1</span>'));
     },
   },
 };

diff --git a/src/views/extended_search/cards/Account.vue b/src/views/extended_search/cards/Account.vue
@@ -84,8 +84,8 @@ export default {
     computed: {
         alias() {
             let alias = getAccountAlias(this.item.body);
-            if (alias) return alias;
-            return this.info.alias;
+            if (alias) return this.$sanitize(alias);
+            return this.$sanitize(this.info.alias);
         }
     },
     methods: {
@@ -99,7 +99,7 @@ export default {
             })
             .catch(err => console.error(err))
             .finally(() => this.loading = false);
-        },
+        }
     },
     watch: {
         item: {

diff --git a/src/views/extended_search/cards/Contract.vue b/src/views/extended_search/cards/Contract.vue
@@ -92,8 +92,8 @@ export default {
     computed: {
         alias() {
             let alias = getAccountAlias(this.item.body);
-            if (alias) return alias;
-            return this.info.alias;
+            if (alias) return this.$sanitize(alias);
+            return this.$sanitize(this.info.alias);
         }
     },
     created() {

diff --git a/src/views/extended_search/cards/Token.vue b/src/views/extended_search/cards/Token.vue
@@ -8,7 +8,7 @@
                     </v-list-item-avatar>
                     <v-list-item-content>
                         <v-list-item-title>
-                            <span class="text-h4 text--primary">{{ item.body.Name ? item.body.Name : info.TokenID }}</span>
+                            <span class="text-h4 text--primary">{{ item.body.Name ? this.$sanitize(item.body.Name) : info.TokenID }}</span>
                         </v-list-item-title>
                         <v-list-item-subtitle>
                             <span class="secondary--text overline">{{ item.body.Network }}</span>

diff --git a/src/views/extended_search/result/Account.vue b/src/views/extended_search/result/Account.vue
@@ -44,7 +44,7 @@ export default {
   computed: {
     alias() {
         let alias = getAccountAlias(this.item.body);
-        if (alias) return alias;
+        if (alias) return this.$sanitize(alias);
         return undefined;
     }
   },

diff --git a/src/views/extended_search/result/Highlight.vue b/src/views/extended_search/result/Highlight.vue
@@ -13,8 +13,6 @@
 </template>
 
 <script>
-import sanitizeHtml from 'sanitize-html';
-
 export default {
     name: "Highlight",
     props: {
@@ -23,10 +21,10 @@ export default {
     },
     methods: {
         highlight(s) {
-            if (this.words === undefined) return s;
+            if (this.words === undefined) return this.$sanitize(s);
             for (let word of this.words) {
                 let re = new RegExp(`(${word})`, "gmi");
-                s = sanitizeHtml(s.replace(re, "<span class='highlight'>$1</span>"));
+                s = this.$sanitize(s.replace(re, "<span class='highlight'>$1</span>"));
             }
             return s;
         },

diff --git a/src/views/extended_search/result/Token.vue b/src/views/extended_search/result/Token.vue
@@ -7,7 +7,7 @@
                         <span class="hash">Token</span>
                         <span class="text--secondary" style="font-size: 20px;"> → </span>
                         <router-link class="serp-link" target="_blank" :to="`/${item.body.Network}/${item.body.Address}/tokens?token_id=${item.body.TokenID}`">
-                            <span v-if="item.body.Name" class="alias">{{ item.body.Name }}</span>
+                            <span v-if="item.body.Name" class="alias">{{ sanitize(item.body.Name) }}</span>
                         </router-link>
                     </v-list-item-title>
                     <v-list-item-subtitle>
@@ -35,6 +35,11 @@ export default {
     components: {
         Highlight
     },
+    methods: {
+        sanitize(text) {
+            return this.$sanitize(text);
+        }
+    }
 }
 </script>
 

diff --git a/src/views/home/Home.vue b/src/views/home/Home.vue
@@ -56,7 +56,7 @@
           style="z-index: 0"
         >
           <span class="overline">Created by</span>
-          <a href="https://baking-bad.org/docs" target="_blank" rel="noopener" class="text--secondary text-small ml-1 pa-1 no-decoration overline">Baking Bad</a>
+          <a href="https://bakingbad.dev/" target="_blank" rel="noopener" class="text--secondary text-small ml-1 pa-1 no-decoration overline">Baking Bad</a>
           <span class="ml-1 mr-2">·</span>
           <span class="overline">Hosted on</span>
           <a href="https://www.netlify.com" target="_blank" rel="noopener" class="text--secondary text-small ml-1 pa-1 no-decoration overline">Netlify</a>