habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

web/flows: use dompurify for footer links (#11773)

Browse Source 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2024-10-23 11:15:23 +02:00
committed by GitHub
parent 12dbdfaf66
commit a5a26a50c6
4 changed files with 91 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
web/src/common/purify.ts Normal file
View File

@ -0,0 +1,17 @@
import DOMPurify from "dompurify";
import { render } from "@lit-labs/ssr";
import { collectResult } from "@lit-labs/ssr/lib/render-result.js";
import { TemplateResult, html } from "lit";
import { unsafeHTML } from "lit/directives/unsafe-html.js";
import { until } from "lit/directives/until.js";
export function purify(input: TemplateResult): TemplateResult {
return html`${until(
(async () => {
const rendered = await collectResult(render(input));
const purified = DOMPurify.sanitize(rendered);
return html`${unsafeHTML(purified)}`;
})(),
)}`;
}

11
web/src/flow/FlowExecutor.ts
View File

@ -5,6 +5,7 @@ import {
TITLE_DEFAULT,
} from "@goauthentik/common/constants";
import { globalAK } from "@goauthentik/common/global";
import { purify } from "@goauthentik/common/purify";
import { configureSentry } from "@goauthentik/common/sentry";
import { first } from "@goauthentik/common/utils";
import { WebsocketClient } from "@goauthentik/common/ws";
@ -518,9 +519,13 @@ export class FlowExecutor extends Interface implements StageHost {
<ul class="pf-c-list pf-m-inline">
${this.brand?.uiFooterLinks?.map((link) => {
if (link.href) {
return html`<li>
<a href="${link.href}">${link.name}</a>
</li>`;
return html`${purify(
html`<li>
<a href="${link.href}"
>${link.name}</a
>
</li>`,
)}`;
}
return html`<li>
<span>${link.name}</span>