LemmyNet/lemmy-ui
2
0
Fork 0
mirror of https://github.com/LemmyNet/lemmy-ui.git synced 2024-11-22 12:21:13 +00:00
Code Issues Projects Releases Wiki Activity

Fix XSS vuln (#1897)

Browse source
This commit is contained in:
Anon 2023-07-10 06:37:07 -05:00 committed by GitHub
parent 3d58baea7c
commit e80bcf53ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/shared/markdown.ts
View file

@ -188,13 +188,16 @@ export function setupMarkdown() {
//Provide custom renderer for our emojis to allow us to add a css class and force size dimensions on them. //Provide custom renderer for our emojis to allow us to add a css class and force size dimensions on them.
const item = tokens[idx] as any; const item = tokens[idx] as any;
const title = item.attrs.length >= 3 ? item.attrs[2][1] : ""; const title = item.attrs.length >= 3 ? item.attrs[2][1] : "";
const src: string = item.attrs[0][1]; const customEmoji = customEmojisLookup.get(title);
const isCustomEmoji = customEmojisLookup.get(title) != undefined; const isCustomEmoji = customEmoji != undefined;
if (!isCustomEmoji) { if (!isCustomEmoji) {
return defaultRenderer?.(tokens, idx, options, env, self) ?? ""; return defaultRenderer?.(tokens, idx, options, env, self) ?? "";
} }
const alt_text = item.content; return `<img class="icon icon-emoji" src="${
return `<img class="icon icon-emoji" src="${src}" title="${title}" alt="${alt_text}"/>`; customEmoji!.custom_emoji.image_url
}" title="${customEmoji!.custom_emoji.shortcode}" alt="${
customEmoji!.custom_emoji.alt_text
}"/>`;
}; };
md.renderer.rules.table_open = function () { md.renderer.rules.table_open = function () {
return '<table class="table">'; return '<table class="table">';