Cutlery/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-11-04 03:27:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3366 from paperless-ngx/fix/huntr-94517f3f-ed86-4d88-bce1-6e9ba11fe1c2

Browse Source 
[Security] Render frontend text as plain text
This commit is contained in:
shamoon 2023-05-10 11:16:24 -07:00 committed by GitHub
commit a42f28c502
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src-ui/src/app/components/document-detail/document-detail.component.html
View File

@ -207,8 +207,8 @@
<object [data]="previewUrl | safeUrl" class="preview-sticky" width="100%"></object> <object [data]="previewUrl | safeUrl" class="preview-sticky" width="100%"></object>
</ng-template> </ng-template>
</ng-container> </ng-container>
<ng-container *ngIf="getContentType() === 'text/plain'"> <ng-container *ngIf="renderAsPlainText">
<div [innerHTML]="previewHtml | safeHtml" class="preview-sticky bg-light p-3" width="100%"></div> <div [innerText]="previewText" class="preview-sticky bg-light p-3" width="100%"></div>
</ng-container> </ng-container>
<div *ngIf="requiresPassword" class="password-prompt"> <div *ngIf="requiresPassword" class="password-prompt">
<form> <form>

16
src-ui/src/app/components/document-detail/document-detail.component.ts
View File

@ -81,7 +81,7 @@ export class DocumentDetailComponent
title: string title: string
titleSubject: Subject<string> = new Subject() titleSubject: Subject<string> = new Subject()
previewUrl: string previewUrl: string
_previewHtml: string previewText: string
downloadUrl: string downloadUrl: string
downloadOriginalUrl: string downloadOriginalUrl: string
@ -164,6 +164,12 @@ export class DocumentDetailComponent
: this.metadata?.original_mime_type : this.metadata?.original_mime_type
} }
get renderAsPlainText(): boolean {
return ['text/plain', 'application/csv', 'text/csv'].includes(
this.getContentType()
)
}
get isRTL() { get isRTL() {
if (!this.metadata || !this.metadata.lang) return false if (!this.metadata || !this.metadata.lang) return false
else { else {
@ -220,10 +226,10 @@ export class DocumentDetailComponent
this.previewUrl = this.documentsService.getPreviewUrl(this.documentId) this.previewUrl = this.documentsService.getPreviewUrl(this.documentId)
this.http.get(this.previewUrl, { responseType: 'text' }).subscribe({ this.http.get(this.previewUrl, { responseType: 'text' }).subscribe({
next: (res) => { next: (res) => {
this._previewHtml = res.toString() this.previewText = res.toString()
}, },
error: (err) => { error: (err) => {
this._previewHtml = $localize`An error occurred loading content: ${ this.previewText = $localize`An error occurred loading content: ${
err.message ?? err.toString() err.message ?? err.toString()
}` }`
}, },
@ -752,8 +758,4 @@ export class DocumentDetailComponent
) )
) )
} }
get previewHtml(): string {
return this._previewHtml
}
} }