Add DOMpurify + fix XSS

2025-12-23 17:47:54 -05:00 · 2025-11-23 14:37:23 +01:00
parent 26a398f7d2
commit bef03a4125
3 changed files with 12 additions and 4 deletions
--- a/app/Views/partial/header_js.php
+++ b/app/Views/partial/header_js.php
@@ -17,6 +17,13 @@
        document.getElementById('liveclock').innerHTML = moment().format("<?= dateformat_momentjs($config['dateformat'] . ' ' . $config['timeformat']) ?>");
    }

+    const notify = $.notify;
+
+    $.notify = function(content, options) {
+        const sanitizedContent = DOMPurify.sanitize(content);
+        return notify(sanitizedContent, options);
+    };
+
    $.notifyDefaults({
        placement: {
            align: "<?= esc($config['notify_horizontal_position'], 'js') ?>",
--- a/package-lock.json
+++ b/package-lock.json
@@ -28,6 +28,7 @@
                "chartist-plugin-tooltips": "^0.0.17",
                "clipboard": "^2.0.11",
                "coffeescript": "^2.7.0",
+                "dompurify": "^3.3.0",
                "elegant-circles": "github:opensourcepos/elegant-circles#minified",
                "es6-promise": "^4.2.8",
                "file-saver": "^2.0.5",
@@ -1486,11 +1487,10 @@
            "integrity": "sha512-ED3jP8saaweFTjeGX8HQPjeC1YYyZs98jGNZx6IiBvxW7JG5v492kamAQB3m2wop07CvU/RQmzcKr6bgcC5D/Q=="
        },
        "node_modules/dompurify": {
-            "version": "3.2.4",
-            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.4.tgz",
-            "integrity": "sha512-ysFSFEDVduQpyhzAob/kkuJjf5zWkZD8/A9ywSp1byueyuCfHamrCBa14/Oc2iiB0e51B+NpxSl5gmzn+Ms/mg==",
+            "version": "3.3.0",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.0.tgz",
+            "integrity": "sha512-r+f6MYR1gGN1eJv0TVQbhA7if/U7P87cdPl3HN5rikqaBSBxLiCb/b9O+2eG0cxz0ghyU+mU1QkbsOwERMYlWQ==",
            "license": "(MPL-2.0 OR Apache-2.0)",
-            "optional": true,
            "optionalDependencies": {
                "@types/trusted-types": "^2.0.7"
            }
--- a/package.json
+++ b/package.json
@@ -49,6 +49,7 @@
        "chartist-plugin-tooltips": "^0.0.17",
        "clipboard": "^2.0.11",
        "coffeescript": "^2.7.0",
+        "dompurify": "^3.3.0",
        "elegant-circles": "github:opensourcepos/elegant-circles#minified",
        "es6-promise": "^4.2.8",
        "file-saver": "^2.0.5",