duckietm/Nitro-V3
1
0
Fork 0
mirror of https://github.com/duckietm/Nitro-V3.git synced 2026-06-19 23:16:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

㊙️ Security Fixes

Browse Source 
- XSS fix: Created SanitizeHtml.ts utility using DOMPurify (already in package.json but never used). Wrapped all 21 dangerouslySetInnerHTML calls in catalog views with SanitizeHtml() — only allows safe tags (b, i, u, br, span, div, p, a, strong, em, img)

- Race condition fix: Added 10-second timeout fallbacks on purchase flags in CatalogPurchaseWidgetView and CatalogGiftView so the flag auto-resets even if the server never responds
This commit is contained in:
DuckieTM
2026-03-23 22:14:03 +01:00
parent dc678cb7ff
commit 7ffb213ce7
22 changed files with 54 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/api/utils/SanitizeHtml.ts
+10
View File
@@ -0,0 +1,10 @@
import DOMPurify from 'dompurify';
export const SanitizeHtml = (html: string): string =>
{
return DOMPurify.sanitize(html, {
ALLOWED_TAGS: [ 'b', 'i', 'u', 'br', 'span', 'div', 'p', 'a', 'strong', 'em', 'img' ],
ALLOWED_ATTR: [ 'href', 'target', 'class', 'style', 'src', 'alt' ],
ALLOW_DATA_ATTR: false
});
};
src/api/utils/index.ts
+1
View File
@@ -15,6 +15,7 @@ export * from './PrefixUtils';
export * from './ProductImageUtility';
export * from './Randomizer';
export * from './RoomChatFormatter';
export * from './SanitizeHtml';
export * from './SetLocalStorage';
export * from './SoundNames';
export * from './WindowSaveOptions';