fix: stop dompurify from breaking draw.io diagrams (#7888)

Newer versions of dompurify strip <foreignobject> tags if not explicitly allowed. See https://github.com/cure53/DOMPurify/issues/1040 Fixes #7744
4 days ago · b950e065e9
parent 028dcd5656
commit b950e065e9
3 changed files with 6 additions and 3 deletions
--- a/client/components/editor/editor-asciidoc.vue
+++ b/client/components/editor/editor-asciidoc.vue
@ -228,7 +228,8 @@ export default {
      })

      this.previewHTML = DOMPurify.sanitize($.html(), {
-        ADD_TAGS: ['foreignObject']
+        ADD_TAGS: ['foreignObject'],
+        HTML_INTEGRATION_POINTS: { foreignobject: true }
      })
    },
    /**
--- a/client/components/editor/editor-markdown.vue
+++ b/client/components/editor/editor-markdown.vue
@ -454,7 +454,8 @@ export default {
      // this.$store.set('editor/content', newContent)
      this.processMarkers(this.cm.firstLine(), this.cm.lastLine())
      this.previewHTML = DOMPurify.sanitize(md.render(newContent), {
-        ADD_TAGS: ['foreignObject']
+        ADD_TAGS: ['foreignObject'],
+        HTML_INTEGRATION_POINTS: { foreignobject: true }
      })
      this.$nextTick(() => {
        tabsetHelper.format()
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@ -34,7 +34,8 @@ module.exports = {

      input = DOMPurify.sanitize(input, {
        ADD_ATTR: allowedAttrs,
-        ADD_TAGS: allowedTags
+        ADD_TAGS: allowedTags,
+        HTML_INTEGRATION_POINTS: { foreignobject: true }
      })
    }
    return input