security: multiple reported CVE fixes (#1515)

* update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue
2025-07-23 15:19:41 +02:00 · 2022-07-31 13:10:20 -08:00 · 2022-07-31 13:10:20 -08:00 · 13850cda1f
commit 13850cda1f
parent 483f789b8e
23 changed files with 401 additions and 118 deletions
--- a/frontend/components/global/SafeMarkdown.vue
+++ b/frontend/components/global/SafeMarkdown.vue
@ -0,0 +1,42 @@
+<template>
+  <VueMarkdown :source="sanitizeMarkdown(source)"></VueMarkdown>
+</template>
+
+<script lang="ts">
+// @ts-ignore vue-markdown has no types
+import VueMarkdown from "@adapttive/vue-markdown";
+import { defineComponent } from "@nuxtjs/composition-api";
+import DOMPurify from "isomorphic-dompurify";
+
+export default defineComponent({
+  components: {
+    VueMarkdown,
+  },
+  props: {
+    source: {
+      type: String,
+      default: "",
+    },
+  },
+  setup() {
+    function sanitizeMarkdown(rawHtml: string | null | undefined): string {
+      if (!rawHtml) {
+        return "";
+      }
+
+      const sanitized = DOMPurify.sanitize(rawHtml, {
+        USE_PROFILES: { html: true },
+        // TODO: some more thought could be put into what is allowed and what isn't
+        ALLOWED_TAGS: ["img", "div", "p"],
+        ADD_ATTR: ["src", "alt", "height", "width", "class"],
+      });
+
+      return sanitized;
+    }
+
+    return {
+      sanitizeMarkdown,
+    };
+  },
+});
+</script>