From 3e6566bff5affb72d49566bf79c40c2ded6b0e3d Mon Sep 17 00:00:00 2001 From: Moriz Wahl Date: Thu, 24 Nov 2022 18:24:53 +0100 Subject: [PATCH] do not sanitize description of embed --- backend/src/helpers/walkRecursive.js | 10 ++++++---- backend/src/middleware/xssMiddleware.js | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/backend/src/helpers/walkRecursive.js b/backend/src/helpers/walkRecursive.js index 85900eeba..c65d3aa2c 100644 --- a/backend/src/helpers/walkRecursive.js +++ b/backend/src/helpers/walkRecursive.js @@ -2,24 +2,26 @@ * iterate through all fields and replace it with the callback result * @property data Array * @property fields Array + * @property fieldName String * @property callback Function */ -function walkRecursive(data, fields, callback, _key) { +function walkRecursive(data, fields, fieldName, callback, _key) { if (!Array.isArray(fields)) { throw new Error('please provide an fields array for the walkRecursive helper') } if (data && typeof data === 'string' && fields.includes(_key)) { // well we found what we searched for, lets replace the value with our callback result - data = callback(data, _key) + const key = _key.split('!') + if (key.length === 1 || key[1] !== fieldName) data = callback(data, _key) } else if (data && Array.isArray(data)) { // go into the rabbit hole and dig through that array data.forEach((res, index) => { - data[index] = walkRecursive(data[index], fields, callback, index) + data[index] = walkRecursive(data[index], fields, fieldName, callback, index) }) } else if (data && typeof data === 'object') { // lets get some keys and stir them Object.keys(data).forEach((k) => { - data[k] = walkRecursive(data[k], fields, callback, k) + data[k] = walkRecursive(data[k], fields, fieldName, callback, k) }) } return data diff --git a/backend/src/middleware/xssMiddleware.js b/backend/src/middleware/xssMiddleware.js index 9d08aff8e..9b15e9712 100644 --- a/backend/src/middleware/xssMiddleware.js +++ b/backend/src/middleware/xssMiddleware.js @@ -1,21 +1,22 @@ import walkRecursive from '../helpers/walkRecursive' import { cleanHtml } from '../middleware/helpers/cleanHtml.js' +// exclamation mark separetes field names, that should not be sanitized const fields = [ 'content', 'contentExcerpt', 'reasonDescription', - 'description', + 'description!embed', 'descriptionExcerpt', ] export default { Mutation: async (resolve, root, args, context, info) => { - args = walkRecursive(args, fields, cleanHtml) + args = walkRecursive(args, fields, info.fieldName, cleanHtml) return resolve(root, args, context, info) }, Query: async (resolve, root, args, context, info) => { const result = await resolve(root, args, context, info) - return walkRecursive(result, fields, cleanHtml) + return walkRecursive(result, fields, info.fieldName, cleanHtml) }, }