diff options
| author | Fuwn <[email protected]> | 2026-06-02 00:25:29 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-06-02 00:25:29 +0000 |
| commit | 31b825b183bfae702c8ceb2fa48b29a4b830cf73 (patch) | |
| tree | 6c14ae74185897bbf0957dc77fe214d4b022c12a /pnpm-lock.yaml | |
| parent | fix(updates): isolate feed failures so one feed can't break the page (diff) | |
| download | due.moe-31b825b183bfae702c8ceb2fa48b29a4b830cf73.tar.xz due.moe-31b825b183bfae702c8ceb2fa48b29a4b830cf73.zip | |
fix(security): sanitize badge_wall_css server-side, render via textContent
Custom badge-wall CSS was sanitised only client-side with a fragile regex
and injected via innerHTML, while the stored value stayed raw. Sanitise
at the write boundary instead (setCSS, covering both the REST and GraphQL
paths) with a css-tree pass that parses leniently and drops @import,
behavior/-moz-binding, expression()/javascript: values, and </style>
break-out attempts; render with textContent instead of innerHTML so
break-out is impossible by construction (CSP already blocks inline
script). css-tree stays server-only. A behaviour-gate test confirms
ordinary CSS (backdrop-filter, content, url(), @media, @keyframes) is
preserved while the dangerous constructs are removed.
The previous regex also silently stripped all `content:` declarations;
those now render correctly.
Diffstat (limited to 'pnpm-lock.yaml')
| -rw-r--r-- | pnpm-lock.yaml | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index cc1644e5..d270e294 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -29,6 +29,9 @@ importers: caniuse-lite: specifier: ^1.0.30001655 version: 1.0.30001766 + css-tree: + specifier: ^3.2.1 + version: 3.2.1 dexie: specifier: ^4.0.1-alpha.25 version: 4.2.1 @@ -96,6 +99,9 @@ importers: '@sveltejs/vite-plugin-svelte': specifier: ^4.0.0 + '@types/css-tree': + specifier: ^2.3.11 + version: 2.3.11 '@types/fast-levenshtein': specifier: ^0.0.4 version: 0.0.4 @@ -2072,6 +2078,9 @@ packages: '@types/[email protected]': resolution: {integrity: sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==} + '@types/[email protected]': + resolution: {integrity: sha512-aEokibJOI77uIlqoBOkVbaQGC9zII0A+JH1kcTNKW2CwyYWD8KM6qdo+4c77wD3wZOQfJuNWAr9M4hdk+YhDIg==} + '@types/[email protected]': resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==} @@ -2569,6 +2578,10 @@ packages: resolution: {integrity: sha512-6Fv1DV/TYw//QF5IzQdqsNDjx/wc8TrMBZsqjL9eW01tWb7R7k/mq+/VXfJCl7SoD5emsJop9cOByJZfs8hYIw==} engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0} + resolution: {integrity: sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==} + engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0} + resolution: {integrity: sha512-2z+rWdzbbSZv6/rhtvzvqeZQHrBaqgogqt85sqFNbabZOuFbCVFb8kPeEtZjiKkbrm395irpNKiYeFeLiQnFPg==} engines: {node: '>=18'} @@ -3404,6 +3417,9 @@ packages: resolution: {integrity: sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==} + resolution: {integrity: sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==} + resolution: {integrity: sha512-UERzLsxzllchadvbPs5aolHh65ISpKpM+ccLbOJ8/vvpBKmAWf+la7dXFy7Mr0ySHbdHrFv5kGFCUHHe6GFEmw==} engines: {node: '>= 4.0.0'} @@ -6360,6 +6376,8 @@ snapshots: dependencies: '@types/node': 17.0.45 + '@types/[email protected]': {} + '@types/[email protected]': {} '@types/[email protected]': {} @@ -6839,6 +6857,11 @@ snapshots: mdn-data: 2.0.30 source-map-js: 1.2.1 + dependencies: + mdn-data: 2.27.1 + source-map-js: 1.2.1 + dependencies: '@asamuzakjp/css-color': 3.2.0 @@ -7948,6 +7971,8 @@ snapshots: + [email protected]: {} + dependencies: fs-monkey: 1.1.0 |