merge: laxer HTML sanitisation for admin-controlled text - fixes #447 (!454)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/454

Closes #447

Approved-by: Marie <marie@kaifa.ch>

packages/frontend/src/components/MkNotes.vue

@@ -55,8 +55,6 @@ import { i18n } from '@/i18n.js';
 import { infoImageUrl } from '@/instance.js';
 import { defaultStore } from '@/store.js';
 
-console.log(defaultStore.state.noteDesign, defaultStore.state.noteDesign === 'sharkey');
-
 const props = defineProps<{
 	pagination: Paging;
 	noGap?: boolean;

packages/frontend/src/components/MkSignupDialog.rules.vue

@@ -65,7 +65,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 import { computed, ref } from 'vue';
 import { instance } from '@/instance.js';
 import { i18n } from '@/i18n.js';
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import MkButton from '@/components/MkButton.vue';
 import MkFolder from '@/components/MkFolder.vue';
 import MkSwitch from '@/components/MkSwitch.vue';

packages/frontend/src/components/MkVisitorDashboard.vue

@@ -56,7 +56,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { ref } from 'vue';
 import * as Misskey from 'misskey-js';
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import XSigninDialog from '@/components/MkSigninDialog.vue';
 import XSignupDialog from '@/components/MkSignupDialog.vue';
 import MkButton from '@/components/MkButton.vue';

packages/frontend/src/pages/about.vue

@@ -130,7 +130,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 </template>
 
 <script lang="ts" setup>
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import { computed, watch, ref } from 'vue';
 import * as Misskey from 'misskey-js';
 import XEmojis from './about.emojis.vue';

packages/frontend/src/pages/favorites.vue

@@ -16,9 +16,14 @@ SPDX-License-Identifier: AGPL-3.0-only
 			</template>
 
 			<template #default="{ items }">
-				<MkDateSeparatedList v-slot="{ item }" :items="items" :direction="'down'" :noGap="false" :ad="false">
+				<MkDateSeparatedList v-if="defaultStore.state.noteDesign === 'misskey'"
+					v-slot="{ item }" :items="items" :direction="'down'" :noGap="false" :ad="false">
 					<MkNote :key="item.id" :note="item.note" :class="$style.note"/>
 				</MkDateSeparatedList>
+				<MkDateSeparatedList v-if="defaultStore.state.noteDesign === 'sharkey'"
+					v-slot="{ item }" :items="items" :direction="'down'" :noGap="false" :ad="false">
+					<SkNote :key="item.id" :note="item.note" :class="$style.note"/>
+				</MkDateSeparatedList>
 			</template>
 		</MkPagination>
 	</MkSpacer>
@@ -28,10 +33,12 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import MkPagination from '@/components/MkPagination.vue';
 import MkNote from '@/components/MkNote.vue';
+import SkNote from '@/components/SkNote.vue';
 import MkDateSeparatedList from '@/components/MkDateSeparatedList.vue';
 import { i18n } from '@/i18n.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
 import { infoImageUrl } from '@/instance.js';
+import { defaultStore } from '@/store.js';
 
 const pagination = {
 	endpoint: 'i/favorites' as const,

packages/frontend/src/scripts/sanitize-html.ts

@@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+import original from 'sanitize-html';
+
+export default function sanitizeHtml(str: string | null): string | null {
+	if (str == null) return str;
+	return original(str, {
+		allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center']),
+		allowedAttributes: {
+			...original.defaults.allowedAttributes,
+			a: original.defaults.allowedAttributes.a.concat(['style']),
+			img: original.defaults.allowedAttributes.img.concat(['style']),
+		},
+	});
+}