Page MenuHomeSoftware Heritage

assets/readme-rendering: Use dompurify as XSS filter
ClosedPublic

Authored by anlambert on Apr 12 2019, 2:52 PM.

Details

Summary

XSS filtering has recently been added to swh-web (D1322) for the rendering
of README files in markdown format.

But as @kalpitk noticed it, the rendering of images located in an origin source tree
is now broken.

So instead of using [[ https://github.com/VisionistInc/showdown-xss-filter | showdown-xss-filter ]] package, prefer to use the [[ https://github.com/cure53/DOMPurify | dompurify ]]
one which seems to have a good default white list for XSS filtering.

Related T1642

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Update: Simplify code and add XSS filtering for all supported README types

This revision is now accepted and ready to land.Apr 13 2019, 11:01 AM
This revision was automatically updated to reflect the committed changes.