From ad65975c9150ac761c7e7c6696930d4e9e87396c Mon Sep 17 00:00:00 2001 From: Benjamin Auder <benjamin.auder@somewhere> Date: Sat, 2 May 2020 04:14:53 +0200 Subject: [PATCH] Slightly restrain allowed HTML tags + adjust style for problems instr/solu --- client/src/components/UserBio.vue | 2 +- client/src/views/Problems.vue | 20 ++++++++++++-------- server/routes/problems.js | 11 ++++++++++- server/routes/users.js | 11 ++++++++++- 4 files changed, 33 insertions(+), 11 deletions(-) diff --git a/client/src/components/UserBio.vue b/client/src/components/UserBio.vue index 01bafd23..4631e830 100644 --- a/client/src/components/UserBio.vue +++ b/client/src/components/UserBio.vue @@ -115,7 +115,7 @@ export default { .bio-content text-align: left margin: 0 var(--universal-margin) - p, ul, ol + p, ul, ol, pre, table, h3, h4, h5, h6, blockquote margin: var(--universal-margin) 0 .br display: block diff --git a/client/src/views/Problems.vue b/client/src/views/Problems.vue index b989fbcb..adc0ad36 100644 --- a/client/src/views/Problems.vue +++ b/client/src/views/Problems.vue @@ -47,14 +47,14 @@ main @input="adjustHeight('instructions')" v-model="curproblem.instruction" ) - p(v-html="parseHtml(curproblem.instruction)") + .instructions(v-html="parseHtml(curproblem.instruction)") fieldset textarea.solution-edit( :placeholder="st.tr['Solution']" @input="adjustHeight('solution')" v-model="curproblem.solution" ) - p(v-html="parseHtml(curproblem.solution)") + .solution(v-html="parseHtml(curproblem.solution)") button(@click="sendProblem()") {{ st.tr["Send"] }} #dialog.text-center {{ st.tr[infoMsg] }} .row(v-if="showOne") @@ -70,12 +70,12 @@ main | {{ st.tr["Previous_p"] }} button.nomargin(@click="gotoPrevNext(curproblem,-1)") | {{ st.tr["Next_p"] }} - p.oneInstructions.clickable( + .instructions.oneInstructions.clickable( v-html="parseHtml(curproblem.instruction)" @click="curproblem.showSolution=!curproblem.showSolution" ) | {{ st.tr["Show solution"] }} - p( + .solution( v-show="curproblem.showSolution" v-html="parseHtml(curproblem.solution)" ) @@ -513,9 +513,13 @@ export default { <style lang="sass"> @import "@/styles/_board_squares_img.sass" @import "@/styles/_rules.sass" -.br - display: block - margin: 10px 0 +.instructions, .solution + margin: 0 var(--universal-margin) + p, ul, ol, pre, table, h3, h4, h5, h6, blockquote + margin: var(--universal-margin) 0 + .br + display: block + margin: 10px 0 </style> <style lang="sass" scoped> @@ -562,7 +566,7 @@ button#loadMoreBtn & > * margin: 0 -p.oneInstructions +.oneInstructions margin: 0 padding: 2px 5px background-color: lightgreen diff --git a/server/routes/problems.js b/server/routes/problems.js index 746be9aa..5f4dd401 100644 --- a/server/routes/problems.js +++ b/server/routes/problems.js @@ -2,7 +2,16 @@ let router = require("express").Router(); const access = require("../utils/access"); const params = require("../config/parameters"); const ProblemModel = require("../models/Problem"); -const sanitizeHtml = require('sanitize-html'); +const sanitizeHtml_pkg = require('sanitize-html'); + +const allowedTags = [ + 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b', + 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table', + 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' +]; +function sanitizeHtml(text) { + return sanitizeHtml_pkg(text, { allowedTags: allowedTags }); +} router.post("/problems", access.logged, access.ajax, (req,res) => { if (ProblemModel.checkProblem(req.body.prob)) { diff --git a/server/routes/users.js b/server/routes/users.js index d637e13c..a3fa7061 100644 --- a/server/routes/users.js +++ b/server/routes/users.js @@ -4,7 +4,16 @@ const sendEmail = require('../utils/mailer'); const genToken = require("../utils/tokenGenerator"); const access = require("../utils/access"); const params = require("../config/parameters"); -const sanitizeHtml = require('sanitize-html'); +const sanitizeHtml_pkg = require('sanitize-html'); + +const allowedTags = [ + 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b', + 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table', + 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' +]; +function sanitizeHtml(text) { + return sanitizeHtml_pkg(text, { allowedTags: allowedTags }); +} router.get("/userbio", access.ajax, (req,res) => { const uid = req.query["id"]; -- 2.44.0