mirror of
https://github.com/mealie-recipes/mealie.git
synced 2025-11-04 03:28:28 -05:00
13850cda1f
* update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue
43 lines
976 B
Vue
43 lines
976 B
Vue
<template>
|
|
<VueMarkdown :source="sanitizeMarkdown(source)"></VueMarkdown>
|
|
</template>
|
|
|
|
<script lang="ts">
|
|
// @ts-ignore vue-markdown has no types
|
|
import VueMarkdown from "@adapttive/vue-markdown";
|
|
import { defineComponent } from "@nuxtjs/composition-api";
|
|
import DOMPurify from "isomorphic-dompurify";
|
|
|
|
export default defineComponent({
|
|
components: {
|
|
VueMarkdown,
|
|
},
|
|
props: {
|
|
source: {
|
|
type: String,
|
|
default: "",
|
|
},
|
|
},
|
|
setup() {
|
|
function sanitizeMarkdown(rawHtml: string | null | undefined): string {
|
|
if (!rawHtml) {
|
|
return "";
|
|
}
|
|
|
|
const sanitized = DOMPurify.sanitize(rawHtml, {
|
|
USE_PROFILES: { html: true },
|
|
// TODO: some more thought could be put into what is allowed and what isn't
|
|
ALLOWED_TAGS: ["img", "div", "p"],
|
|
ADD_ATTR: ["src", "alt", "height", "width", "class"],
|
|
});
|
|
|
|
return sanitized;
|
|
}
|
|
|
|
return {
|
|
sanitizeMarkdown,
|
|
};
|
|
},
|
|
});
|
|
</script>
|