From aaef4ff72e7d7e155415a838d1082c49085880df Mon Sep 17 00:00:00 2001 From: DmitriVanGuard Date: Tue, 12 Jul 2022 14:10:00 +0300 Subject: [PATCH] Sanitizing insights text on fe --- src/components/InsightText.svelte | 13 ++++++++++- src/routes/read/[slug].svelte | 31 ++---------------------- src/routes/read/_Comments.svelte | 39 +++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 30 deletions(-) create mode 100644 src/routes/read/_Comments.svelte diff --git a/src/components/InsightText.svelte b/src/components/InsightText.svelte index 295d42d8..3a19c539 100644 --- a/src/components/InsightText.svelte +++ b/src/components/InsightText.svelte @@ -7,6 +7,7 @@ let node + $: sanitized = sanitize(text) $: node && hookImageEnlarger() function hookImageEnlarger() { @@ -15,10 +16,20 @@ img.onclick = enlargeImage }) } + + function sanitize(text) { + return text + .replace(/<\s*script/g, '<script') + .replace(/="?javascript:/g, '') + .replace( + /(onafterprint|onbeforeprint|onbeforeunload|onerror|onhashchange|onload|onoffline|ononline|onpageshow|onresize|onunload|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|onclick|ondblclick|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onwheel|onwheel|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onscroll|oncopy|oncut|onpaste|ontoggle)=/g, + '_=', + ) + }
- {@html text} + {@html sanitized}
diff --git a/src/routes/read/_Comments.svelte b/src/routes/read/_Comments.svelte new file mode 100644 index 00000000..b7e69b3d --- /dev/null +++ b/src/routes/read/_Comments.svelte @@ -0,0 +1,39 @@ + + +
+ +
+ +