web/admin: add strict dompurify config for diagram (#11783)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-10-23 19:42:54 +02:00
parent 40c7fefd96
commit da73d4f784
2 changed files with 7 additions and 0 deletions
--- a/web/src/common/purify.ts
+++ b/web/src/common/purify.ts
@ -6,6 +6,10 @@ import { TemplateResult, html } from "lit";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";
 import { until } from "lit/directives/until.js";

+export const DOM_PURIFY_STRICT: DOMPurify.Config = {
+    ALLOWED_TAGS: ["#text"],
+};
+
 export function purify(input: TemplateResult): TemplateResult {
    return html`${until(
        (async () => {
--- a/web/src/elements/Diagram.ts
+++ b/web/src/elements/Diagram.ts
@ -1,4 +1,5 @@
 import { EVENT_REFRESH, EVENT_THEME_CHANGE } from "@goauthentik/common/constants";
+import { DOM_PURIFY_STRICT } from "@goauthentik/common/purify";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/EmptyState";
 import mermaid, { MermaidConfig } from "mermaid";
@ -47,6 +48,8 @@ export class Diagram extends AKElement {
                curve: "linear",
            },
            htmlLabels: false,
+            securityLevel: "strict",
+            dompurifyConfig: DOM_PURIFY_STRICT,
        };
        mermaid.initialize(this.config);
    }