Docker/mealie
Docker/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-08-02 20:15:24 +02:00
Code Issues Releases Activity

security: fix unsafe html inputs (#1173)

Browse source 
* use DomPurify to sanatize ingredient html

* fix list-item render for markdown

* address volar linter issue
This commit is contained in:
Hayden 2022-04-24 13:00:04 -08:00 committed by GitHub
parent 1c41ce7538
commit 2613420cd1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
frontend/composables/recipes/use-recipe-ingredients.ts
View file

@ -1,8 +1,16 @@
// @ts-ignore DOMPurify has no types
import DOMPurify from "dompurify";
import { useFraction } from "./use-fraction";
import { RecipeIngredient } from "~/types/api-types/recipe";
const { frac } = useFraction();
function sanitizeIngredientHTML(rawHtml: string) {
return DOMPurify.sanitize(rawHtml, {
"USE_PROFILES": {html: true},
"ALLOWED_TAGS": ["b", "q", "i", "strong", "sup"]
}) as string
}
export function parseIngredientText(ingredient: RecipeIngredient, disableAmount: boolean, scale = 1): string {
if (disableAmount) {
return ingredient.note || "";
@ -26,5 +34,6 @@ export function parseIngredientText(ingredient: RecipeIngredient, disableAmount:
}
}
return `${returnQty} ${unit?.name || " "} ${food?.name || " "} ${note || " "}`.replace(/ {2,}/g, " ");
const text = `${returnQty} ${unit?.name || " "} ${food?.name || " "} ${note || " "}`.replace(/ {2,}/g, " ");
return sanitizeIngredientHTML(text);
}