diff options
| author | Fuwn <[email protected]> | 2026-06-01 15:45:01 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-06-01 15:45:01 +0000 |
| commit | 6a7228c06d7af2a28ead1f4ae1830a258c05afae (patch) | |
| tree | 26a1fc3cc8546bd15dac92910998afb8c2a67fd9 /package.json | |
| parent | fix(security): allow-list web-push endpoints to stop SSRF (diff) | |
| download | due.moe-6a7228c06d7af2a28ead1f4ae1830a258c05afae.tar.xz due.moe-6a7228c06d7af2a28ead1f4ae1830a258c05afae.zip | |
fix(security): sanitize third-party RSS HTML before {@html}
The /updates page rendered manga/novel feed fields (content, titles,
series names) from mangaupdates/syosetu/wlnupdates via {@html} with no
sanitization. CSP already blocks script execution, but injected markup
could still phish, redirect, or track. Add sanitizeFeedHtml (DOMPurify
with a small safe allow-list) and apply it on ingest. A behaviour-gate
test plus a check against the live mangaupdates feed confirm legitimate
formatting (entities, <i>/<b>/<a href>) is preserved while <script>,
event handlers, <iframe>/<meta>/<style> and javascript: URLs are removed.
Diffstat (limited to 'package.json')
| -rw-r--r-- | package.json | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/package.json b/package.json index c9cce24b..ac44767c 100644 --- a/package.json +++ b/package.json @@ -58,6 +58,7 @@ "botid": "^1.5.10", "caniuse-lite": "^1.0.30001655", "dexie": "^4.0.1-alpha.25", + "dompurify": "^3.4.7", "effect": "4.0.0-beta.25", "fast-levenshtein": "^3.0.0", "jsdom": "^23.0.1", |