Add sanitize-html on front-end when pasting into a comment field

So that only allowed tags are inputted into a comment, when copying from elsewhere Closes #836 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-11-13 15:45:05 +01:00
parent 3d2fea6bb8
commit cf7744ab51
3 changed files with 48 additions and 2 deletions
--- a/js/src/components/Editor.vue
+++ b/js/src/components/Editor.vue
@@ -212,6 +212,7 @@ import Underline from "@tiptap/extension-underline";
 import Link from "@tiptap/extension-link";
 import CharacterCount from "@tiptap/extension-character-count";
 import { AutoDir } from "./Editor/Autodir";
+import sanitizeHtml from "sanitize-html";

@Component({
  components: { EditorContent, BubbleMenu },
@@ -265,6 +266,7 @@ export default class EditorComponent extends Vue {
          "aria-label": this.ariaLabel,
          role: "textbox",
        },
+        transformPastedHTML: this.transformPastedHTML,
      },
      extensions: [
        StarterKit,
@@ -292,6 +294,19 @@ export default class EditorComponent extends Vue {
    });
  }

+  transformPastedHTML(html: string): string {
+    // When using comment mode, limit to acceptable tags
+    if (this.isCommentMode) {
+      return sanitizeHtml(html, {
+        allowedTags: ["b", "i", "em", "strong", "a"],
+        allowedAttributes: {
+          a: ["href", "rel", "target"],
+        },
+      });
+    }
+    return html;
+  }
+
  @Watch("value")
  onValueChanged(val: string): void {
    if (!this.editor) return;