From ad65975c9150ac761c7e7c6696930d4e9e87396c Mon Sep 17 00:00:00 2001
From: Benjamin Auder <benjamin.auder@somewhere>
Date: Sat, 2 May 2020 04:14:53 +0200
Subject: [PATCH] Slightly restrain allowed HTML tags + adjust style for
 problems instr/solu

---
 client/src/components/UserBio.vue |  2 +-
 client/src/views/Problems.vue     | 20 ++++++++++++--------
 server/routes/problems.js         | 11 ++++++++++-
 server/routes/users.js            | 11 ++++++++++-
 4 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/client/src/components/UserBio.vue b/client/src/components/UserBio.vue
index 01bafd23..4631e830 100644
--- a/client/src/components/UserBio.vue
+++ b/client/src/components/UserBio.vue
@@ -115,7 +115,7 @@ export default {
 .bio-content
   text-align: left
   margin: 0 var(--universal-margin)
-  p, ul, ol
+  p, ul, ol, pre, table, h3, h4, h5, h6, blockquote
     margin: var(--universal-margin) 0
   .br
     display: block
diff --git a/client/src/views/Problems.vue b/client/src/views/Problems.vue
index b989fbcb..adc0ad36 100644
--- a/client/src/views/Problems.vue
+++ b/client/src/views/Problems.vue
@@ -47,14 +47,14 @@ main
           @input="adjustHeight('instructions')"
           v-model="curproblem.instruction"
         )
-        p(v-html="parseHtml(curproblem.instruction)")
+        .instructions(v-html="parseHtml(curproblem.instruction)")
       fieldset
         textarea.solution-edit(
           :placeholder="st.tr['Solution']"
           @input="adjustHeight('solution')"
           v-model="curproblem.solution"
         )
-        p(v-html="parseHtml(curproblem.solution)")
+        .solution(v-html="parseHtml(curproblem.solution)")
       button(@click="sendProblem()") {{ st.tr["Send"] }}
       #dialog.text-center {{ st.tr[infoMsg] }}
   .row(v-if="showOne")
@@ -70,12 +70,12 @@ main
           | {{ st.tr["Previous_p"] }}
         button.nomargin(@click="gotoPrevNext(curproblem,-1)")
           | {{ st.tr["Next_p"] }}
-      p.oneInstructions.clickable(
+      .instructions.oneInstructions.clickable(
         v-html="parseHtml(curproblem.instruction)"
         @click="curproblem.showSolution=!curproblem.showSolution"
       )
         | {{ st.tr["Show solution"] }}
-      p(
+      .solution(
         v-show="curproblem.showSolution"
         v-html="parseHtml(curproblem.solution)"
       )
@@ -513,9 +513,13 @@ export default {
 <style lang="sass">
 @import "@/styles/_board_squares_img.sass"
 @import "@/styles/_rules.sass"
-.br
-  display: block
-  margin: 10px 0
+.instructions, .solution
+  margin: 0 var(--universal-margin)
+  p, ul, ol, pre, table, h3, h4, h5, h6, blockquote
+    margin: var(--universal-margin) 0
+  .br
+    display: block
+    margin: 10px 0
 </style>
 
 <style lang="sass" scoped>
@@ -562,7 +566,7 @@ button#loadMoreBtn
   & > *
     margin: 0
 
-p.oneInstructions
+.oneInstructions
   margin: 0
   padding: 2px 5px
   background-color: lightgreen
diff --git a/server/routes/problems.js b/server/routes/problems.js
index 746be9aa..5f4dd401 100644
--- a/server/routes/problems.js
+++ b/server/routes/problems.js
@@ -2,7 +2,16 @@ let router = require("express").Router();
 const access = require("../utils/access");
 const params = require("../config/parameters");
 const ProblemModel = require("../models/Problem");
-const sanitizeHtml = require('sanitize-html');
+const sanitizeHtml_pkg = require('sanitize-html');
+
+const allowedTags = [
+  'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b',
+  'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table',
+  'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
+];
+function sanitizeHtml(text) {
+  return sanitizeHtml_pkg(text, { allowedTags: allowedTags });
+}
 
 router.post("/problems", access.logged, access.ajax, (req,res) => {
   if (ProblemModel.checkProblem(req.body.prob)) {
diff --git a/server/routes/users.js b/server/routes/users.js
index d637e13c..a3fa7061 100644
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -4,7 +4,16 @@ const sendEmail = require('../utils/mailer');
 const genToken = require("../utils/tokenGenerator");
 const access = require("../utils/access");
 const params = require("../config/parameters");
-const sanitizeHtml = require('sanitize-html');
+const sanitizeHtml_pkg = require('sanitize-html');
+
+const allowedTags = [
+  'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b',
+  'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table',
+  'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
+];
+function sanitizeHtml(text) {
+  return sanitizeHtml_pkg(text, { allowedTags: allowedTags });
+}
 
 router.get("/userbio", access.ajax, (req,res) => {
   const uid = req.query["id"];
-- 
2.44.0