ocelot-Social-Community/Ocelot-Social
1
0
Fork 0
mirror of https://github.com/Ocelot-Social-Community/Ocelot-Social.git synced 2025-12-13 07:46:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

do not sanitize description of embed

Browse Source
This commit is contained in:
Moriz Wahl 2022-11-24 18:24:53 +01:00
parent cff0d1601f
commit 3e6566bff5
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
backend/src/helpers/walkRecursive.js
View File

@ -2,24 +2,26 @@
* iterate through all fields and replace it with the callback result * iterate through all fields and replace it with the callback result
* @property data Array * @property data Array
* @property fields Array * @property fields Array
* @property fieldName String
* @property callback Function * @property callback Function
*/ */
function walkRecursive(data, fields, callback, _key) { function walkRecursive(data, fields, fieldName, callback, _key) {
if (!Array.isArray(fields)) { if (!Array.isArray(fields)) {
throw new Error('please provide an fields array for the walkRecursive helper') throw new Error('please provide an fields array for the walkRecursive helper')
} }
if (data && typeof data === 'string' && fields.includes(_key)) { if (data && typeof data === 'string' && fields.includes(_key)) {
// well we found what we searched for, lets replace the value with our callback result // well we found what we searched for, lets replace the value with our callback result
data = callback(data, _key) const key = _key.split('!')
if (key.length === 1 || key[1] !== fieldName) data = callback(data, _key)
} else if (data && Array.isArray(data)) { } else if (data && Array.isArray(data)) {
// go into the rabbit hole and dig through that array // go into the rabbit hole and dig through that array
data.forEach((res, index) => { data.forEach((res, index) => {
data[index] = walkRecursive(data[index], fields, callback, index) data[index] = walkRecursive(data[index], fields, fieldName, callback, index)
}) })
} else if (data && typeof data === 'object') { } else if (data && typeof data === 'object') {
// lets get some keys and stir them // lets get some keys and stir them
Object.keys(data).forEach((k) => { Object.keys(data).forEach((k) => {
data[k] = walkRecursive(data[k], fields, callback, k) data[k] = walkRecursive(data[k], fields, fieldName, callback, k)
}) })
} }
return data return data

7
backend/src/middleware/xssMiddleware.js
View File

@ -1,21 +1,22 @@
import walkRecursive from '../helpers/walkRecursive' import walkRecursive from '../helpers/walkRecursive'
import { cleanHtml } from '../middleware/helpers/cleanHtml.js' import { cleanHtml } from '../middleware/helpers/cleanHtml.js'
// exclamation mark separetes field names, that should not be sanitized
const fields = [ const fields = [
'content', 'content',
'contentExcerpt', 'contentExcerpt',
'reasonDescription', 'reasonDescription',
'description', 'description!embed',
'descriptionExcerpt', 'descriptionExcerpt',
] ]
export default { export default {
Mutation: async (resolve, root, args, context, info) => { Mutation: async (resolve, root, args, context, info) => {
args = walkRecursive(args, fields, cleanHtml) args = walkRecursive(args, fields, info.fieldName, cleanHtml)
return resolve(root, args, context, info) return resolve(root, args, context, info)
}, },
Query: async (resolve, root, args, context, info) => { Query: async (resolve, root, args, context, info) => {
const result = await resolve(root, args, context, info) const result = await resolve(root, args, context, info)
return walkRecursive(result, fields, cleanHtml) return walkRecursive(result, fields, info.fieldName, cleanHtml)
}, },
} }