Sanitize HTML

pull/209/head
M66B 2 years ago
parent 950871da2d
commit 842797ae02

@ -4997,6 +4997,8 @@ With a sufficiently long/complex password, which is communicated to the recipien
The maximum message text is 1,500 characters, which includes HTML formatting tags.
Cross-site scripting (XSS) is prevented by using [DOMPurify](https://github.com/cure53/DOMPurify) (Apache License Version 2.0).
This feature is available since version 1.1985. This feature is not available in the Play store version of the app.
Sending protected text is a pro feature, decrypting protected text is a free feature.

@ -11,7 +11,7 @@
<meta name="robots" content="noindex">
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline' *.faircode.eu;">
<style>
body { padding-left: 10px; padding-right: 10px; font-family: Arial, Helvetica, sans-serif; }
@ -26,6 +26,9 @@
</style>
</noscript>
<!-- https://github.com/cure53/DOMPurify 2.4.0 -->
<script src="https://email.faircode.eu/decrypt/purify.min.js"></script>
<script>
window.addEventListener('load', load);
@ -85,10 +88,11 @@
if (!password.value)
throw new Error('Password required');
let html = await _decrypt(password.value);
let dirty = await _decrypt(password.value);
let clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });
form.style.display = 'none';
message.innerHTML = html;
message.innerHTML = clean;
message.style.display = 'block';
copyright.style.display = 'none';
} catch (e) {

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long
Loading…
Cancel
Save