fix: xss

V4Fire · Jul 15, 2024 · 256f2e4 · 256f2e4
1 parent 230b20f
commit 256f2e4
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 9 deletions.
diff --git a/src/core/page-meta-data/elements/abstract/engines/ssr/const.ts b/src/core/page-meta-data/elements/abstract/engines/ssr/const.ts
@@ -0,0 +1,35 @@
+/*!
+ * V4Fire Client Core
+ * https://github.com/V4Fire/Client
+ *
+ * Released under the MIT license
+ * https://github.com/V4Fire/Client/blob/master/LICENSE
+ */
+
+export const allowedTags = {
+	meta: [
+		'meta',
+		'name',
+		'content',
+		'http-equiv',
+		'charset',
+		'property'
+	],
+
+	link: [
+		'href',
+		'rel',
+		'type',
+		'media',
+		'sizes',
+		'as',
+		'crossorigin',
+		'integrity',
+		'title',
+		'charset',
+		'hreflang',
+		'referrerpolicy'
+	],
+
+	title: []
+};
diff --git a/src/core/page-meta-data/elements/abstract/engines/ssr/index.ts b/src/core/page-meta-data/elements/abstract/engines/ssr/index.ts
@@ -11,20 +11,22 @@ import { sanitize } from 'core/html/xss';
 import type { Engine } from 'core/page-meta-data/elements/abstract/engines/interface';
 import type { AbstractElement } from 'core/page-meta-data/elements';
 
+import { allowedTags } from 'core/page-meta-data/elements/abstract/engines/ssr/const';
+
+export * from 'core/page-meta-data/elements/abstract/engines/ssr/const';
+
 export class SSREngine implements Engine {
 	/** {@link Engine.render} */
 	render(_element: AbstractElement, tag: string, attrs: Dictionary<string>): string {
-		const keys = Object.keys(attrs);
-
-		const attrsString = keys
-			.map((key) => `${key}="${attrs[key]}"`)
+		const attrsString = Object.entries(attrs)
+			.map(([key, val]) => `${key}="${val}"`)
 			.join(' ');
 
 		return sanitize(`<${tag} ${attrsString} />`, {
 			RETURN_DOM: true,
 			WHOLE_DOCUMENT: true,
-			ADD_TAGS: [tag],
-			ALLOWED_ATTR: keys
+			ADD_TAGS: allowedTags[tag] != null ? [tag] : [],
+			ALLOWED_ATTR: allowedTags[tag] ?? []
 		}).querySelector(tag)!.outerHTML;
 	}
 

diff --git a/src/core/page-meta-data/elements/title/engines/ssr/index.ts b/src/core/page-meta-data/elements/title/engines/ssr/index.ts
@@ -9,15 +9,15 @@
 import { sanitize } from 'core/html/xss';
 
 import type { AbstractElement } from 'core/page-meta-data/elements';
-import { SSREngine } from 'core/page-meta-data/elements/abstract/engines';
+import { SSREngine, allowedTags } from 'core/page-meta-data/elements/abstract/engines';
 
 export class SSRTitleEngine extends SSREngine {
 	override render(_element: AbstractElement, tag: string, attrs: Dictionary<string>): string {
 		return sanitize(`<${tag}>${attrs.text ?? ''}</${tag}>`, {
 			RETURN_DOM: true,
 			WHOLE_DOCUMENT: true,
-			ADD_TAGS: [tag],
-			ALLOWED_ATTR: []
+			ADD_TAGS: tag === 'title' ? [tag] : [],
+			ALLOWED_ATTR: allowedTags[tag] ?? []
 		}).querySelector(tag)!.outerHTML;
 	}
 }