OpenCloud
/
element-web
mirror of https://github.com/vector-im/element-web
1
0
Fork 0
Code Issues Releases Wiki Activity

Silence sanitize-html warning (#10334)

pull/28788/head^2
Michael Telatynski 2023-03-09 09:08:42 +00:00 committed by GitHub
parent cef821c21b
commit 01d7b795ab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/utils/Reply.ts
View File

@ -44,7 +44,7 @@ export function stripPlainReply(body: string): string {
return lines.join("\n");
}
// Part of Replies fallback support
// Part of Replies fallback support - MUST NOT BE RENDERED DIRECTLY - UNSAFE HTML
export function stripHTMLReply(html: string): string {
// Sanitize the original HTML for inclusion in <mx-reply>. We allow
// any HTML, since the original sender could use special tags that we
@ -56,6 +56,7 @@ export function stripHTMLReply(html: string): string {
return sanitizeHtml(html, {
allowedTags: false, // false means allow everything
allowedAttributes: false,
allowVulnerableTags: false, // silence xss warning, we won't be rendering directly this, so it is safe to do
// we somehow can't allow all schemes, so we allow all that we
// know of and mxc (for img tags)
allowedSchemes: [...PERMITTED_URL_SCHEMES, "mxc"],