mirror of
https://github.com/HangarMC/Hangar.git
synced 2024-12-09 06:32:43 +08:00
Disgusting hacks to allow video embed and links
... before we either use a different sanitization lib or figure out how to move the sanitization before the markdown renderer without destroying plain text
This commit is contained in:
parent
d21dd69987
commit
4dc4c37559
@ -130,16 +130,16 @@ async function requireGlobalPerm(authStore: ReturnType<typeof useAuthStore>, to:
|
|||||||
permissions: toNamedPermission(to.meta.requireGlobalPerm as string[]),
|
permissions: toNamedPermission(to.meta.requireGlobalPerm as string[]),
|
||||||
}).catch((e) => {
|
}).catch((e) => {
|
||||||
try {
|
try {
|
||||||
console.log("erro!", e);
|
console.log("error!", e);
|
||||||
handleRequestError(e, useContext(), useI18n());
|
handleRequestError(e, useContext(), useI18n());
|
||||||
} catch (e2) {
|
} catch (e2) {
|
||||||
console.log("error while checking perm", e);
|
console.log("error while checking perm", e);
|
||||||
console.log("encountered additional error while error handling", e2);
|
console.log("encountered additional error while error handling", e2);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
console.log("result", check);
|
console.debug("result", check);
|
||||||
if (check && (check.type !== PermissionType.GLOBAL || !check.result)) {
|
if (check && (check.type !== PermissionType.GLOBAL || !check.result)) {
|
||||||
console.log("404?");
|
console.debug("404?");
|
||||||
return useErrorRedirect(to, 404, "Not found");
|
return useErrorRedirect(to, 404, "Not found");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -26,7 +26,7 @@ import com.vladsch.flexmark.parser.Parser;
|
|||||||
import com.vladsch.flexmark.util.ast.Node;
|
import com.vladsch.flexmark.util.ast.Node;
|
||||||
import com.vladsch.flexmark.util.data.MutableDataSet;
|
import com.vladsch.flexmark.util.data.MutableDataSet;
|
||||||
import io.papermc.hangar.config.hangar.HangarConfig;
|
import io.papermc.hangar.config.hangar.HangarConfig;
|
||||||
import io.papermc.hangar.util.HtmlSanitizerUtil;
|
import io.papermc.hangar.util.HtmlSanitizer;
|
||||||
import org.jetbrains.annotations.NotNull;
|
import org.jetbrains.annotations.NotNull;
|
||||||
import org.jetbrains.annotations.Nullable;
|
import org.jetbrains.annotations.Nullable;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
@ -40,10 +40,12 @@ public class MarkdownService {
|
|||||||
private final Parser markdownParser;
|
private final Parser markdownParser;
|
||||||
private final MutableDataSet options;
|
private final MutableDataSet options;
|
||||||
private final HangarConfig config;
|
private final HangarConfig config;
|
||||||
|
private final HtmlSanitizer sanitizer;
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
public MarkdownService(HangarConfig config) {
|
public MarkdownService(HangarConfig config, final HtmlSanitizer sanitizer) {
|
||||||
this.config = config;
|
this.config = config;
|
||||||
|
this.sanitizer = sanitizer;
|
||||||
|
|
||||||
options = new MutableDataSet()
|
options = new MutableDataSet()
|
||||||
.set(AnchorLinkExtension.ANCHORLINKS_TEXT_SUFFIX, "<svg class=\"ml-2 text-xl\" preserveAspectRatio=\"xMidYMid meet\" viewBox=\"0 0 24 24\" width=\"1.2em\" height=\"1.2em\"><path fill=\"currentColor\" d=\"M10.59 13.41c.41.39.41 1.03 0 1.42c-.39.39-1.03.39-1.42 0a5.003 5.003 0 0 1 0-7.07l3.54-3.54a5.003 5.003 0 0 1 7.07 0a5.003 5.003 0 0 1 0 7.07l-1.49 1.49c.01-.82-.12-1.64-.4-2.42l.47-.48a2.982 2.982 0 0 0 0-4.24a2.982 2.982 0 0 0-4.24 0l-3.53 3.53a2.982 2.982 0 0 0 0 4.24m2.82-4.24c.39-.39 1.03-.39 1.42 0a5.003 5.003 0 0 1 0 7.07l-3.54 3.54a5.003 5.003 0 0 1-7.07 0a5.003 5.003 0 0 1 0-7.07l1.49-1.49c-.01.82.12 1.64.4 2.43l-.47.47a2.982 2.982 0 0 0 0 4.24a2.982 2.982 0 0 0 4.24 0l3.53-3.53a2.982 2.982 0 0 0 0-4.24a.973.973 0 0 1 0-1.42Z\"></path></svg>")
|
.set(AnchorLinkExtension.ANCHORLINKS_TEXT_SUFFIX, "<svg class=\"ml-2 text-xl\" preserveAspectRatio=\"xMidYMid meet\" viewBox=\"0 0 24 24\" width=\"1.2em\" height=\"1.2em\"><path fill=\"currentColor\" d=\"M10.59 13.41c.41.39.41 1.03 0 1.42c-.39.39-1.03.39-1.42 0a5.003 5.003 0 0 1 0-7.07l3.54-3.54a5.003 5.003 0 0 1 7.07 0a5.003 5.003 0 0 1 0 7.07l-1.49 1.49c.01-.82-.12-1.64-.4-2.42l.47-.48a2.982 2.982 0 0 0 0-4.24a2.982 2.982 0 0 0-4.24 0l-3.53 3.53a2.982 2.982 0 0 0 0 4.24m2.82-4.24c.39-.39 1.03-.39 1.42 0a5.003 5.003 0 0 1 0 7.07l-3.54 3.54a5.003 5.003 0 0 1-7.07 0a5.003 5.003 0 0 1 0-7.07l1.49-1.49c-.01.82.12 1.64.4 2.43l-.47.47a2.982 2.982 0 0 0 0 4.24a2.982 2.982 0 0 0 4.24 0l3.53-3.53a2.982 2.982 0 0 0 0-4.24a.973.973 0 0 1 0-1.42Z\"></path></svg>")
|
||||||
@ -62,12 +64,13 @@ public class MarkdownService {
|
|||||||
AutolinkExtension.create(),
|
AutolinkExtension.create(),
|
||||||
AnchorLinkExtension.create(),
|
AnchorLinkExtension.create(),
|
||||||
StrikethroughExtension.create(),
|
StrikethroughExtension.create(),
|
||||||
TaskListExtension.create(),
|
|
||||||
TablesExtension.create(),
|
TablesExtension.create(),
|
||||||
TypographicExtension.create(),
|
TypographicExtension.create(),
|
||||||
WikiLinkExtension.create(),
|
WikiLinkExtension.create(),
|
||||||
EmojiExtension.create(),
|
EmojiExtension.create(),
|
||||||
FootnoteExtension.create(),
|
//TODO readd after sanitization is fixed
|
||||||
|
//TaskListExtension.create(),
|
||||||
|
//FootnoteExtension.create(),
|
||||||
AdmonitionExtension.create(),
|
AdmonitionExtension.create(),
|
||||||
GitLabExtension.create(),
|
GitLabExtension.create(),
|
||||||
YouTubeLinkExtension.create(),
|
YouTubeLinkExtension.create(),
|
||||||
@ -102,7 +105,7 @@ public class MarkdownService {
|
|||||||
|
|
||||||
// Render markdown and then sanitize html
|
// Render markdown and then sanitize html
|
||||||
input = htmlRenderer.render(markdownParser.parse(input));
|
input = htmlRenderer.render(markdownParser.parse(input));
|
||||||
return HtmlSanitizerUtil.sanitize(input);
|
return sanitizer.sanitize(input);
|
||||||
}
|
}
|
||||||
|
|
||||||
static class RenderSettings {
|
static class RenderSettings {
|
||||||
|
71
src/main/java/io/papermc/hangar/util/HtmlSanitizer.java
Normal file
71
src/main/java/io/papermc/hangar/util/HtmlSanitizer.java
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
package io.papermc.hangar.util;
|
||||||
|
|
||||||
|
import io.papermc.hangar.config.hangar.HangarConfig;
|
||||||
|
import java.util.List;
|
||||||
|
import org.owasp.html.HtmlPolicyBuilder;
|
||||||
|
import org.owasp.html.HtmlStreamEventReceiver;
|
||||||
|
import org.owasp.html.HtmlStreamEventReceiverWrapper;
|
||||||
|
import org.owasp.html.PolicyFactory;
|
||||||
|
import org.owasp.html.Sanitizers;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.stereotype.Service;
|
||||||
|
|
||||||
|
@Service
|
||||||
|
public final class HtmlSanitizer {
|
||||||
|
|
||||||
|
private final PolicyFactory sanitizer;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
public HtmlSanitizer(final HangarConfig config) {
|
||||||
|
//TODO remove this disgusting hack when we can put the sanitizer before the markdown renderer
|
||||||
|
final PolicyFactory links = new HtmlPolicyBuilder().withPostprocessor((HtmlStreamEventReceiver r) -> new HtmlStreamEventReceiverWrapper(r) {
|
||||||
|
@Override
|
||||||
|
public void openTag(final String elementName, final List<String> attrs) {
|
||||||
|
if (!"a".equals(elementName)) {
|
||||||
|
super.openTag(elementName, attrs);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (int i = 0, n = attrs.size(); i < n; i += 2) {
|
||||||
|
if (!"href".equals(attrs.get(i))) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
final String url = attrs.get(i + 1);
|
||||||
|
final String safeUrl = config.security.makeSafe(url);
|
||||||
|
if (!url.equals(safeUrl)) {
|
||||||
|
attrs.set(i + 1, safeUrl);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
super.openTag(elementName, attrs);
|
||||||
|
}
|
||||||
|
}).allowStandardUrlProtocols().allowElements("a").allowAttributes("href", "id", "class").onElements("a").toFactory();
|
||||||
|
final PolicyFactory iframes = new HtmlPolicyBuilder().withPostprocessor((HtmlStreamEventReceiver r) -> new HtmlStreamEventReceiverWrapper(r) {
|
||||||
|
@Override
|
||||||
|
public void openTag(final String elementName, final List<String> attrs) {
|
||||||
|
if (!"iframe".equals(elementName)) {
|
||||||
|
super.openTag(elementName, attrs);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (int i = 0, n = attrs.size(); i < n; i += 2) {
|
||||||
|
if ("src".equals(attrs.get(i)) && !attrs.get(i + 1).startsWith("https://www.youtube-nocookie.com/embed/")) {
|
||||||
|
// Only allow YouTube video embeds
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
super.openTag(elementName, attrs);
|
||||||
|
}
|
||||||
|
}).allowUrlProtocols("https").allowElements("iframe").allowAttributes("src", "allowfullscreen", "border", "height", "width", "frameborder", "allow", "class").onElements("iframe").toFactory();
|
||||||
|
|
||||||
|
final PolicyFactory images = new HtmlPolicyBuilder().allowStandardUrlProtocols().allowElements("img", "svg", "path")
|
||||||
|
.allowAttributes("alt", "src", "border", "height", "width", "preserveAspectRatio", "viewBox", "class").onElements("img", "svg") // TODO don't allow class attribute
|
||||||
|
.allowAttributes("fill", "d").onElements("path").toFactory();
|
||||||
|
sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.TABLES).and(Sanitizers.STYLES)
|
||||||
|
.and(images).and(links).and(iframes).and(new HtmlPolicyBuilder().allowElements("pre", "details", "summary", "hr").toFactory());
|
||||||
|
}
|
||||||
|
|
||||||
|
public String sanitize(final String input) {
|
||||||
|
return sanitizer.sanitize(input);
|
||||||
|
}
|
||||||
|
}
|
@ -1,17 +0,0 @@
|
|||||||
package io.papermc.hangar.util;
|
|
||||||
|
|
||||||
import org.owasp.html.HtmlPolicyBuilder;
|
|
||||||
import org.owasp.html.PolicyFactory;
|
|
||||||
import org.owasp.html.Sanitizers;
|
|
||||||
|
|
||||||
public final class HtmlSanitizerUtil {
|
|
||||||
|
|
||||||
private static final PolicyFactory IMAGES = new HtmlPolicyBuilder().allowUrlProtocols("https").allowElements("img")
|
|
||||||
.allowAttributes("alt", "src").onElements("img").allowAttributes("border", "height", "width").onElements("img").toFactory();
|
|
||||||
private static final PolicyFactory SANITIZER = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(IMAGES).and(Sanitizers.TABLES).and(Sanitizers.STYLES)
|
|
||||||
.and(new HtmlPolicyBuilder().allowElements("pre", "details", "summary").toFactory());
|
|
||||||
|
|
||||||
public static String sanitize(final String input) {
|
|
||||||
return SANITIZER.sanitize(input);
|
|
||||||
}
|
|
||||||
}
|
|
@ -165,6 +165,10 @@ hangar:
|
|||||||
safe-download-hosts:
|
safe-download-hosts:
|
||||||
- "github.com"
|
- "github.com"
|
||||||
- "youtu.be"
|
- "youtu.be"
|
||||||
|
- "youtube.com"
|
||||||
|
- "papermc.io"
|
||||||
|
- "discord.gg"
|
||||||
|
- "markdownguide.org"
|
||||||
|
|
||||||
discourse:
|
discourse:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
Loading…
Reference in New Issue
Block a user