Added markdown-it-mermaid for some charts support in all input fields. Replaced xss with dompurify.

Thanks to xuguotong and xet7 ! Fixes #3794
2026-02-05 16:11:47 +01:00 · 2021-05-07 02:13:20 +03:00 · 2021-05-07 02:13:20 +03:00 · 5ab20a9257
commit 5ab20a9257
parent 88e4918208
6 changed files with 5604 additions and 889 deletions
--- a/client/components/activities/activities.js
+++ b/client/components/activities/activities.js
@ -1,4 +1,4 @@
-import sanitizeXss from 'xss';
+import DOMPurify from 'dompurify';

 const activitiesPerPage = 500;

@ -162,11 +162,15 @@ BlazeComponent.extendComponent({
            {
              href: source.url,
            },
-            sanitizeXss(source.system),
+            DOMPurify.sanitize(source.system, {
+              ALLOW_UNKNOWN_PROTOCOLS: true,
+            }),
          ),
        );
      } else {
-        return sanitizeXss(source.system);
+        return DOMPurify.sanitize(source.system, {
+          ALLOW_UNKNOWN_PROTOCOLS: true,
+        });
      }
    }
    return null;
@ -190,10 +194,10 @@ BlazeComponent.extendComponent({
              href: attachment.url({ download: true }),
              target: '_blank',
            },
-            sanitizeXss(attachment.name()),
+            DOMPurify.sanitize(attachment.name()),
          ),
        )) ||
-      sanitizeXss(this.currentData().activity.attachmentName)
+      DOMPurify.sanitize(this.currentData().activity.attachmentName)
    );
  },

@ -232,7 +236,7 @@ BlazeComponent.extendComponent({

 Template.activity.helpers({
  sanitize(value) {
-    return sanitizeXss(value);
+    return DOMPurify.sanitize(value, { ALLOW_UNKNOWN_PROTOCOLS: true });
  },
 });

@ -246,7 +250,7 @@ function createCardLink(card) {
          href: card.originRelativeUrl(),
          class: 'action-card',
        },
-        sanitizeXss(card.title),
+        DOMPurify.sanitize(card.title, { ALLOW_UNKNOWN_PROTOCOLS: true }),
      ),
    )
  );
@ -263,7 +267,7 @@ function createBoardLink(board, list) {
          href: board.originRelativeUrl(),
          class: 'action-board',
        },
-        sanitizeXss(text),
+        DOMPurify.sanitize(text, { ALLOW_UNKNOWN_PROTOCOLS: true }),
      ),
    )
  );
--- a/client/components/main/editor.js
+++ b/client/components/main/editor.js
@ -273,10 +273,12 @@ Template.editor.onRendered(() => {
  }
 });

-import sanitizeXss from 'xss';
+import DOMPurify from 'dompurify';

 // Additional  safeAttrValue function to allow for other specific protocols
 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
+
+/*
 function mySafeAttrValue(tag, name, value, cssFilter) {
  // only when the tag is 'a' and attribute is 'href'
  // then use your custom function
@ -302,6 +304,7 @@ function mySafeAttrValue(tag, name, value, cssFilter) {
    return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
  }
 }
+*/

 // XXX I believe we should compute a HTML rendered field on the server that
 // would handle markdown and user mentions. We can simply have two
@ -317,7 +320,9 @@ Blaze.Template.registerHelper(
    let content = Blaze.toHTML(view.templateContentBlock);
    const currentBoard = Boards.findOne(Session.get('currentBoard'));
    if (!currentBoard)
-      return HTML.Raw(sanitizeXss(content, { safeAttrValue: mySafeAttrValue }));
+      return HTML.Raw(
+        DOMPurify.sanitize(content, { ALLOW_UNKNOWN_PROTOCOLS: true }),
+      );
    const knowedUsers = currentBoard.members.map(member => {
      const u = Users.findOne(member.userId);
      if (u) {
@ -361,7 +366,9 @@ Blaze.Template.registerHelper(
      content = content.replace(fullMention, Blaze.toHTML(link));
    }

-    return HTML.Raw(sanitizeXss(content, { safeAttrValue: mySafeAttrValue }));
+    return HTML.Raw(
+      DOMPurify.sanitize(content, { ALLOW_UNKNOWN_PROTOCOLS: true }),
+    );
  }),
 );