From 42608c6b09dfa97f1f686a242098ef29f68e0dc7 Mon Sep 17 00:00:00 2001 From: Samuel Cambien Date: Tue, 27 Sep 2022 17:38:31 +0200 Subject: [PATCH] Revert "93963: Use sanitize-html instead of isomorphic-dompurifier" This reverts commit a789cb0960e966d19d86dfc67f274c6b1751ec32. --- src/app/shared/utils/markdown.pipe.ts | 36 ++------------------------- 1 file changed, 2 insertions(+), 34 deletions(-) diff --git a/src/app/shared/utils/markdown.pipe.ts b/src/app/shared/utils/markdown.pipe.ts index f7e1032cac..19a35742c3 100644 --- a/src/app/shared/utils/markdown.pipe.ts +++ b/src/app/shared/utils/markdown.pipe.ts @@ -1,6 +1,6 @@ import { Inject, InjectionToken, Pipe, PipeTransform } from '@angular/core'; import MarkdownIt from 'markdown-it'; -import * as sanitizeHtml from 'sanitize-html'; +import * as DOMPurify from 'isomorphic-dompurify'; import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; import { environment } from '../../../environments/environment'; @@ -46,38 +46,6 @@ export class MarkdownPipe implements PipeTransform { if (environment.markdown.mathjax) { md.use(await this.mathjax); } - return this.sanitizer.bypassSecurityTrustHtml( - sanitizeHtml(md.render(value), { - // sanitize-html doesn't let through SVG by default, so we extend its allowlists to cover MathJax SVG - allowedTags: [ - ...sanitizeHtml.defaults.allowedTags, - 'mjx-container', 'svg', 'g', 'path', 'rect', 'text' - ], - allowedAttributes: { - ...sanitizeHtml.defaults.allowedAttributes, - 'mjx-container': [ - 'class', 'style', 'jax' - ], - svg: [ - 'xmlns', 'viewBox', 'style', 'width', 'height', 'role', 'focusable', 'alt', 'aria-label' - ], - g: [ - 'data-mml-node', 'style', 'stroke', 'fill', 'stroke-width', 'transform' - ], - path: [ - 'd', 'style', 'transform' - ], - rect: [ - 'width', 'height', 'x', 'y', 'transform', 'style' - ], - text: [ - 'transform', 'font-size' - ] - }, - parser: { - lowerCaseAttributeNames: false, - }, - }) - ); + return this.sanitizer.bypassSecurityTrustHtml(DOMPurify.sanitize(md.render(value))); } }