Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-29 22:58:51 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

feat: stricter iframe validation

Browse source
This commit is contained in:
Daniel Avila 2023-09-06 18:37:58 -04:00 committed by Danny Avila
parent 9a68c107eb
commit cc260105ec
3 changed files with 46 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

42
client/src/utils/validateIframe.ts Normal file
View file

@ -0,0 +1,42 @@
export default function validateIframe(content: string): string | boolean | null {
const hasValidIframe =
content.includes('<iframe role="presentation" style="') &&
content.includes('src="https://www.bing.com/images/create');
if (!hasValidIframe) {
return false;
}
const iframeRegex = /<iframe\s[^>]*?>/g;
const iframeMatches = content.match(iframeRegex);
if (!iframeMatches || iframeMatches.length > 1) {
return false;
}
const parser = new DOMParser();
const parsedHtml = parser.parseFromString(content, 'text/html');
const potentiallyHarmfulTags = ['script', 'img', 'style', 'div', 'a', 'input', 'button', 'form'];
for (const tag of potentiallyHarmfulTags) {
const elements = parsedHtml.getElementsByTagName(tag);
if (elements.length > 0) {
return false;
}
}
const iframes = parsedHtml.getElementsByTagName('iframe');
if (iframes.length !== 1) {
return false;
}
const iframe = iframes[0];
// Verify role and src attributes
const role = iframe.getAttribute('role');
const src = iframe.getAttribute('src');
return role === 'presentation' && src && src.startsWith('https://www.bing.com/images/create');
}