㊙️ Security Fixes

- XSS fix: Created SanitizeHtml.ts utility using DOMPurify (already in package.json but never used). Wrapped all 21 dangerouslySetInnerHTML calls in catalog views with SanitizeHtml() — only allows safe tags (b, i, u, br, span, div, p, a, strong, em, img) - Race condition fix: Added 10-second timeout fallbacks on purchase flags in CatalogPurchaseWidgetView and CatalogGiftView so the flag auto-resets even if the server never responds
2026-06-20 07:26:19 +00:00 · 2026-03-23 22:14:03 +01:00
parent dc678cb7ff
commit 7ffb213ce7
22 changed files with 54 additions and 34 deletions
@@ -1,6 +1,6 @@
 import { CreateLinkEvent } from '@nitrots/nitro-renderer';
 import { FC } from 'react';
-import { LocalizeText } from '../../../../../api';
+import { LocalizeText, SanitizeHtml } from '../../../../../api';
 import { Button } from '../../../../../common/Button';
 import { Column } from '../../../../../common/Column';
 import { Grid } from '../../../../../common/Grid';
@@ -14,9 +14,9 @@ export const CatalogLayouGuildFrontpageView: FC<CatalogLayoutProps> = props =>
    return (
        <Grid>
            <Column className="bg-muted rounded p-2 text-black" overflow="hidden" size={ 7 }>
-                <div dangerouslySetInnerHTML={ { __html: page.localization.getText(2) } } />
-                <div className="overflow-auto" dangerouslySetInnerHTML={ { __html: page.localization.getText(0) } } />
-                <div dangerouslySetInnerHTML={ { __html: page.localization.getText(1) } } />
+                <div dangerouslySetInnerHTML={ { __html: SanitizeHtml(page.localization.getText(2)) } } />
+                <div className="overflow-auto" dangerouslySetInnerHTML={ { __html: SanitizeHtml(page.localization.getText(0)) } } />
+                <div dangerouslySetInnerHTML={ { __html: SanitizeHtml(page.localization.getText(1)) } } />
            </Column>
            <Column center overflow="hidden" size={ 5 }>
                <LayoutImage imageUrl={ page.localization.getImage(1) } />