sanitize all user inputs, fix #2172

2025-11-18 18:51:32 +10:00 · 2025-01-24 23:53:45 +01:00
parent 308a8e3ae3
commit c7ae0e94d7
29 changed files with 190 additions and 99 deletions
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -347,6 +347,9 @@ importers:
      rxjs:
        specifier: ^7.8.1
        version: 7.8.1
+      sanitize-html:
+        specifier: ^2.14.0
+        version: 2.14.0
      sharp:
        specifier: ^0.33.5
        version: 0.33.5
@ -540,6 +543,9 @@ importers:
      '@types/retry':
        specifier: ^0.12.5
        version: 0.12.5
+      '@types/sanitize-html':
+        specifier: ^2.13.0
+        version: 2.13.0
      '@types/webfontloader':
        specifier: ^1.6.38
        version: 1.6.38
@ -4462,6 +4468,9 @@ packages:
  '@types/retry@0.12.5':
    resolution: {integrity: sha512-3xSjTp3v03X/lSQLkczaN9UIEwJMoMCA1+Nb5HfbJEQWogdeQIyVtTvxPXDQjZ5zws8rFQfVfRdz03ARihPJgw==}

+  '@types/sanitize-html@2.13.0':
+    resolution: {integrity: sha512-X31WxbvW9TjIhZZNyNBZ/p5ax4ti7qsNDBDEnH4zAgmEh35YnFD1UiS6z9Cd34kKm0LslFW0KPmTQzu/oGtsqQ==}
+
  '@types/semver@7.5.8':
    resolution: {integrity: sha512-I8EUhyrgfLrcTkzV3TSsGyl1tSuPrEDzr0yd5m90UgNxQkyDXULk3b6MlQqTCpZpNtWe1K0hzclnZkTcLBe2UQ==}

@ -8892,6 +8901,9 @@ packages:
    resolution: {integrity: sha512-1Y1A//QUXEZK7YKz+rD9WydcE1+EuPr6ZBgKecAB8tmoW6UFv0NREVJe1p+jRxtThkcbbKkfwIbWJe/IeE6m2Q==}
    engines: {node: '>=0.10.0'}

+  parse-srcset@1.0.2:
+    resolution: {integrity: sha512-/2qh0lav6CmI15FzA3i/2Bzk2zCgQhGMkvhOhKNcBVQ1ldgpbfiNTVslmooUmWJcADi1f1kIeynbDRVzNlfR6Q==}
+
  parse5-htmlparser2-tree-adapter@7.0.0:
    resolution: {integrity: sha512-B77tOZrqqfUfnVcOrUvfdLbz4pu4RopLD/4vmu3HUPswwTA8OH0EMW9BlWR2B0RCoiZRAHEUu7IxeP1Pd1UU+g==}

@ -10003,6 +10015,9 @@ packages:
  safer-buffer@2.1.2:
    resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==}

+  sanitize-html@2.14.0:
+    resolution: {integrity: sha512-CafX+IUPxZshXqqRaG9ZClSlfPVjSxI0td7n07hk8QO2oO+9JDnlcL8iM8TWeOXOIBFgIOx6zioTzM53AOMn3g==}
+
  sass-loader@12.6.0:
    resolution: {integrity: sha512-oLTaH0YCtX4cfnJZxKSLAyglED0naiYfNG1iXfU5w1LNZ+ukoA5DtyDIN5zmKVZwYNJP4KRc5Y3hkWga+7tYfA==}
    engines: {node: '>= 12.13.0'}
@ -16235,6 +16250,10 @@ snapshots:

  '@types/retry@0.12.5': {}

+  '@types/sanitize-html@2.13.0':
+    dependencies:
+      htmlparser2: 8.0.2
+
  '@types/semver@7.5.8': {}

  '@types/send@0.17.4':
@ -19496,7 +19515,6 @@ snapshots:
      domhandler: 5.0.3
      domutils: 3.1.0
      entities: 4.5.0
-    optional: true

  htmlparser2@9.1.0:
    dependencies:
@ -21928,6 +21946,8 @@ snapshots:

  parse-passwd@1.0.0: {}

+  parse-srcset@1.0.2: {}
+
  parse5-htmlparser2-tree-adapter@7.0.0:
    dependencies:
      domhandler: 5.0.3
@ -23096,6 +23116,15 @@ snapshots:

  safer-buffer@2.1.2: {}

+  sanitize-html@2.14.0:
+    dependencies:
+      deepmerge: 4.3.1
+      escape-string-regexp: 4.0.0
+      htmlparser2: 8.0.2
+      is-plain-object: 5.0.0
+      parse-srcset: 1.0.2
+      postcss: 8.5.1
+
  sass-loader@12.6.0(sass@1.71.1)(webpack@5.97.1(@swc/core@1.10.7(@swc/helpers@0.5.15))):
    dependencies:
      klona: 2.0.6