Move sanitation to insider reader mode

This protects us against someone opening a malicious reader URL + anchor
2025-03-04 17:11:40 -05:00 · 2023-04-05 21:34:11 +02:00 · 2023-04-05 21:34:11 +02:00 · d815ad6b88
commit d815ad6b88
parent cbcf6f4521
2 changed files with 2 additions and 4 deletions
--- a/src/excmds.ts
+++ b/src/excmds.ts
@ -5991,16 +5991,12 @@ export async function extoptions(...optionNameArgs: string[]) {
 }

 //#content_helper
-// {
 import { Readability } from "@mozilla/readability"
-import xss from "xss"
-// }

 //#content_helper
 export async function readerurl() {
    document.querySelectorAll(".TridactylStatusIndicator").forEach(ind => ind.parentNode.removeChild(ind))
    const article = new Readability(document.cloneNode(true) as any as Document).parse()
-    article.content = xss(article.content, {stripIgnoreTag: true})
    article["link"] = window.location.href
    return browser.runtime.getURL("static/reader.html#" + btoa(encodeURIComponent(JSON.stringify(article))))
 }
--- a/src/reader.ts
+++ b/src/reader.ts
@ -1,7 +1,9 @@
 // import * as config from "@src/lib/config"
+import xss from "xss"

 function updatePage(){
    const article = JSON.parse(decodeURIComponent(atob(window.location.hash.substr(1))))
+    article.content = xss(article.content, {stripIgnoreTag: true})
    document.body.innerHTML = article.content
    if (article.title !== undefined) {
        const header = document.createElement("header")