From 426cbd74cf75b90f68f0e5ef2738acff08dedaf1 Mon Sep 17 00:00:00 2001
From: zhanglun <zhanglun1410@gmail.com>
Date: Wed, 25 Oct 2023 16:40:49 +0800
Subject: [PATCH] fix: :bug: fixed #30 xss problem

---
 package.json                          |  1 +
 pnpm-lock.yaml                        | 16 +++++++++++++++-
 src/components/ArticleView/Detail.tsx |  3 ++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 765b06f0d..0e9f3cbb3 100644
--- a/package.json
+++ b/package.json
@@ -52,6 +52,7 @@
     "tailwindcss-animate": "^1.0.5",
     "tauri-plugin-log-api": "github:tauri-apps/tauri-plugin-log",
     "web-vitals": "^3.1.0",
+    "xss": "^1.0.14",
     "zustand": "^4.3.7"
   },
   "devDependencies": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 5e0affea3..41d09f8e8 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -60,6 +60,7 @@ specifiers:
   vite-plugin-pwa: ^0.16.5
   web-vitals: ^3.1.0
   workbox-precaching: ^7.0.0
+  xss: ^1.0.14
   zustand: ^4.3.7
 
 dependencies:
@@ -105,6 +106,7 @@ dependencies:
   tailwindcss-animate: 1.0.7_tailwindcss@3.3.3
   tauri-plugin-log-api: github.com/tauri-apps/tauri-plugin-log/e5266f6719039c32b8f51ae86c9b726c2c9f3e42
   web-vitals: 3.5.0
+  xss: 1.0.14
   zustand: 4.4.3_4r6hgnselqdgzo3f3gd364vqle
 
 devDependencies:
@@ -3594,7 +3596,6 @@ packages:
 
   /commander/2.20.3:
     resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
-    dev: true
 
   /commander/4.1.1:
     resolution: {integrity: sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==}
@@ -3637,6 +3638,10 @@ packages:
     engines: {node: '>=4'}
     hasBin: true
 
+  /cssfilter/0.0.10:
+    resolution: {integrity: sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==}
+    dev: false
+
   /csstype/3.1.2:
     resolution: {integrity: sha512-I7K1Uu0MBPzaFKg4nI5Q7Vs2t+3gWWW648spaF+Rg7pI9ds18Ugn+lvg4SHczUdKlHI5LWBXyqfS8+DufyBsgQ==}
 
@@ -5795,6 +5800,15 @@ packages:
   /wrappy/1.0.2:
     resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
 
+  /xss/1.0.14:
+    resolution: {integrity: sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==}
+    engines: {node: '>= 0.10.0'}
+    hasBin: true
+    dependencies:
+      commander: 2.20.3
+      cssfilter: 0.0.10
+    dev: false
+
   /yallist/3.1.1:
     resolution: {integrity: sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==}
     dev: true
diff --git a/src/components/ArticleView/Detail.tsx b/src/components/ArticleView/Detail.tsx
index bcb22a293..d3c7465fc 100644
--- a/src/components/ArticleView/Detail.tsx
+++ b/src/components/ArticleView/Detail.tsx
@@ -7,6 +7,7 @@ import { useBearStore } from "@/stores";
 import * as dataAgent from "@/helpers/dataAgent";
 import { motion, AnimatePresence } from "framer-motion";
 import { fetch } from "@tauri-apps/api/http";
+import xss from 'xss';
 
 function createMarkup(html: string) {
   return { __html: html };
@@ -57,7 +58,7 @@ export const ArticleDetail = (props: ArticleDetailProps) => {
         // try to get the best banner if there is no image in article content
         // it will make render slower
         setShowBanner(content.search(/<img[^>]+>/gi) === -1);
-        setPageContent(content);
+        setPageContent(xss(content));
       });
 
       return () => {