baileytownsend.dev / pds-dash-fork
A fork of pds-dash for selfhosted.social
fork atom

Resolves an xss vulnerability

baileytownsend.dev 03b2db01 7228a73b

options
unified split
Changed files
+12 -2
package.json
pnpm-lock.yaml
src
lib
components
landing
PostComponent.svelte
+1
package.json
··· 14 14 "@atcute/client": "^3.0.1", 15 15 "@atcute/identity-resolver": "^0.1.2", 16 16 "@atproto/api": "^0.16.9", 17 + "@braintree/sanitize-url": "^7.1.1", 17 18 "@eslint/compat": "^2.0.0", 18 19 "@eslint/js": "^9.39.1", 19 20 "@sinclair/typebox": "^0.34.41",
+8
pnpm-lock.yaml
··· 20 20 '@atproto/api': 21 21 specifier: ^0.16.9 22 22 version: 0.16.11 23 + '@braintree/sanitize-url': 24 + specifier: ^7.1.1 25 + version: 7.1.1 23 26 '@eslint/compat': 24 27 specifier: ^2.0.0 25 28 version: 2.0.0(eslint@9.39.1) ··· 130 133 '@badrap/valita@0.4.6': 131 134 resolution: {integrity: sha512-4kdqcjyxo/8RQ8ayjms47HCWZIF5981oE5nIenbfThKDxWXtEHKipAOWlflpPJzZx9y/JWYQkp18Awr7VuepFg==} 132 135 engines: {node: '>= 18'} 136 + 137 + '@braintree/sanitize-url@7.1.1': 138 + resolution: {integrity: sha512-i1L7noDNxtFyL5DmZafWy1wRVhGehQmzZaz1HiN5e7iylJMSZR7ekOV7NsIqa5qBldlLrsKv4HbgFUVlQrz8Mw==} 133 139 134 140 '@esbuild/aix-ppc64@0.25.12': 135 141 resolution: {integrity: sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==} ··· 1391 1397 zod: 3.25.76 1392 1398 1393 1399 '@badrap/valita@0.4.6': {} 1400 + 1401 + '@braintree/sanitize-url@7.1.1': {} 1394 1402 1395 1403 '@esbuild/aix-ppc64@0.25.12': 1396 1404 optional: true
+3 -2
src/lib/components/landing/PostComponent.svelte
··· 5 5 import moment from 'moment'; 6 6 import { blueskyHandleFromDid } from '../../pdsfetch'; 7 7 import Hls from 'hls.js'; 8 + import {sanitizeUrl} from '@braintree/sanitize-url'; 8 9 let { post }: { post: Post } = $props(); 9 10 10 11 // State for image carousel ··· 137 138 > 138 139 {/if} 139 140 <div id="postText"> 140 - {#each post.richText.segments() as segment} 141 + {#each post.richText.segments() as segment, index (index)} 141 142 {#if segment.mention} 142 143 <a href="{Config.FRONTEND_URL}/profile/{segment.mention.did}" 143 144 >{segment.text}</a 144 145 > 145 146 {:else if segment.link} 146 - <a style="text-decoration: underline" href="{segment.link.uri}">{segment.text}</a> 147 + <a style="text-decoration: underline" href="{sanitizeUrl(segment.link.uri)}">{segment.text}</a> 147 148 {:else if segment.text} 148 149 {segment.text} 149 150 {/if}