duckietm/Nitro-V3
1
0
Fork 0
mirror of https://github.com/duckietm/Nitro-V3.git synced 2026-06-19 15:06:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): sanitize server-pushed notification HTML (alert + bubble)

Browse Source 
NotificationDefaultAlertView / NotificationDefaultBubbleView injected the server notification message (newline->br only) via dangerouslySetInnerHTML. Route through SanitizeHtml — the allow-list keeps the br/link/formatting these alerts use and strips anything else. Left Nitropedia (rich fetched HTML w/ tags outside the allow-list) and NitrobubbleHidden (<style> block) untouched on purpose: SanitizeHtml would break them.
This commit is contained in:
simoleo89
2026-06-17 19:57:35 +02:00
parent 24d10aced1
commit e39f88f98e
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/components/notification-center/views/alert-layouts/NotificationDefaultAlertView.tsx
+2 -2
View File
@@ -1,5 +1,5 @@
import { FC, useMemo, useState } from 'react';
import { DispatchUiEvent, LocalizeText, NotificationAlertItem, NotificationAlertType, OpenUrl, RoomWidgetUpdateChatInputContentEvent } from '../../../../api';
import { DispatchUiEvent, LocalizeText, NotificationAlertItem, NotificationAlertType, OpenUrl, RoomWidgetUpdateChatInputContentEvent, SanitizeHtml } from '../../../../api';
import { Button, Column, Flex, LayoutNotificationAlertView, LayoutNotificationAlertViewProps } from '../../../../common';
interface NotificationDefaultAlertViewProps extends LayoutNotificationAlertViewProps
@@ -97,7 +97,7 @@ export const NotificationDefaultAlertView: FC<NotificationDefaultAlertViewProps>
{
const htmlText = message.replace(/\r\n|\r|\n/g, '<br />');
return <div key={ index } dangerouslySetInnerHTML={ { __html: htmlText } } />;
return <div key={ index } dangerouslySetInnerHTML={ { __html: SanitizeHtml(htmlText) } } />;
}) }
{ item.clickUrl && (item.clickUrl.length > 0) && (item.imageUrl && !imageFailed) && <>
<hr className="my-2 w-full" />
src/components/notification-center/views/bubble-layouts/NotificationDefaultBubbleView.tsx
+2 -2
View File
@@ -1,5 +1,5 @@
import { FC } from 'react';
import { NotificationBubbleItem, OpenUrl } from '../../../../api';
import { NotificationBubbleItem, OpenUrl, SanitizeHtml } from '../../../../api';
import { Flex, LayoutNotificationBubbleView, LayoutNotificationBubbleViewProps, Text } from '../../../../common';
export interface NotificationDefaultBubbleViewProps extends LayoutNotificationBubbleViewProps
@@ -19,7 +19,7 @@ export const NotificationDefaultBubbleView: FC<NotificationDefaultBubbleViewProp
{ (item.iconUrl && item.iconUrl.length) &&
<img alt="" className="no-select" src={ item.iconUrl } /> }
</Flex>
<Text wrap dangerouslySetInnerHTML={ { __html: htmlText } } variant="white" />
<Text wrap dangerouslySetInnerHTML={ { __html: SanitizeHtml(htmlText) } } variant="white" />
</LayoutNotificationBubbleView>
);
};