frontend/components/global/SafeMarkdown.vue

<template>
  <VueMarkdown :source="sanitizeMarkdown(source)"></VueMarkdown>
</template>

<script lang="ts">
// @ts-ignore vue-markdown has no types
import VueMarkdown from "@adapttive/vue-markdown";
import { defineComponent } from "@nuxtjs/composition-api";
import DOMPurify from "isomorphic-dompurify";

export default defineComponent({
  components: {
    VueMarkdown,
  },
  props: {
    source: {
      type: String,
      default: "",
    },
  },
  setup() {
    function sanitizeMarkdown(rawHtml: string | null | undefined): string {
      if (!rawHtml) {
        return "";
      }

      const sanitized = DOMPurify.sanitize(rawHtml, {
        // List based on
        // https://support.zendesk.com/hc/en-us/articles/4408824584602-Allowing-unsafe-HTML-in-help-center-articles
        ALLOWED_TAGS: [
                        "strong", "em", "b", "i", "u", "p", "code", "pre", "samp", "kbd", "var", "sub", "sup", "dfn", "cite",
                        "small", "address", "hr", "br", "id", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6",
                        "ul", "ol", "li", "dl", "dt", "dd", "abbr", "a", "img", "blockquote", "iframe",
                        "del", "ins", "table", "thead", "tbody", "tfoot", "tr", "th", "td", "colgroup",
                      ],
        ADD_ATTR: [
                    "href", "src", "alt", "height", "width", "class", "allow", "title", "allowfullscreen", "frameborder",
                    "scrolling", "cite", "datetime", "name", "abbr", "target", "border",
                  ],
      });

      return sanitized;
    }

    return {
      sanitizeMarkdown,
    };
  },
});
</script>
security: multiple reported CVE fixes (#1515) * update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue 2022-07-31 13:10:20 -08:00			`<template>`
			`<VueMarkdown :source="sanitizeMarkdown(source)"></VueMarkdown>`
			`</template>`

			`<script lang="ts">`
			`// @ts-ignore vue-markdown has no types`
			`import VueMarkdown from "@adapttive/vue-markdown";`
			`import { defineComponent } from "@nuxtjs/composition-api";`
			`import DOMPurify from "isomorphic-dompurify";`

			`export default defineComponent({`
			`components: {`
			`VueMarkdown,`
			`},`
			`props: {`
			`source: {`
			`type: String,`
			`default: "",`
			`},`
			`},`
			`setup() {`
			`function sanitizeMarkdown(rawHtml: string \| null \| undefined): string {`
			`if (!rawHtml) {`
			`return "";`
			`}`

			`const sanitized = DOMPurify.sanitize(rawHtml, {`
feat: Expanded safe HTML tags and attributes (#2248) * expanded safe html tags and attrs * removed style attr * add note on sources of safe elements --------- Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com> 2023-03-21 14:49:41 -05:00			`// List based on`
			`// https://support.zendesk.com/hc/en-us/articles/4408824584602-Allowing-unsafe-HTML-in-help-center-articles`
			`ALLOWED_TAGS: [`
			`"strong", "em", "b", "i", "u", "p", "code", "pre", "samp", "kbd", "var", "sub", "sup", "dfn", "cite",`
			`"small", "address", "hr", "br", "id", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6",`
			`"ul", "ol", "li", "dl", "dt", "dd", "abbr", "a", "img", "blockquote", "iframe",`
			`"del", "ins", "table", "thead", "tbody", "tfoot", "tr", "th", "td", "colgroup",`
			`],`
			`ADD_ATTR: [`
			`"href", "src", "alt", "height", "width", "class", "allow", "title", "allowfullscreen", "frameborder",`
			`"scrolling", "cite", "datetime", "name", "abbr", "target", "border",`
			`],`
security: multiple reported CVE fixes (#1515) * update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue 2022-07-31 13:10:20 -08:00			`});`

			`return sanitized;`
			`}`

			`return {`
			`sanitizeMarkdown,`
			`};`
			`},`
			`});`
			`</script>`