patch XSS, injection vuln

2026-02-14 16:30:21 +00:00
parent d89b08c58f
commit 7c87edc28a
6 changed files with 44 additions and 16 deletions
--- a/packages/pl-fe/src/actions/external-auth.ts
+++ b/packages/pl-fe/src/actions/external-auth.ts
@ -73,7 +73,13 @@ const externalLogin = (host: string) => {
 const loginWithCode = (code: string) =>
  (dispatch: AppDispatch) => {
-    const app = JSON.parse(localStorage.getItem('plfe:external:app')!);
+    let app;
    try {
      app = JSON.parse(localStorage.getItem('plfe:external:app')!);
    } catch {
      return;
    }
    if (!app) return;
    const { client_id, client_secret, redirect_uri } = app;
    const baseURL = localStorage.getItem('plfe:external:baseurl')!;
    const scope = localStorage.getItem('plfe:external:scopes')!;
--- a/packages/pl-fe/src/components/preview-card.tsx
+++ b/packages/pl-fe/src/components/preview-card.tsx
@ -1,10 +1,12 @@
 import { Link } from '@tanstack/react-router';
 import clsx from 'clsx';
 import DOMPurify from 'isomorphic-dompurify';
 import { type MediaAttachment, type PreviewCard as CardEntity, mediaAttachmentSchema } from 'pl-api';
 import React, { useState, useEffect } from 'react';
 import { FormattedMessage } from 'react-intl';
 import * as v from 'valibot';
 import Blurhash from '@/components/blurhash';
 import HStack from '@/components/ui/hstack';
 import Icon from '@/components/ui/icon';
@ -89,7 +91,11 @@ const PreviewCard: React.FC<IPreviewCard> = ({
  };
  const renderVideo = () => {
-    const content = { __html: addAutoPlay(card.html) };
+    const sanitized = DOMPurify.sanitize(addAutoPlay(card.html), {
      ADD_TAGS: ['iframe'],
      ADD_ATTR: ['allowfullscreen', 'frameborder', 'allow', 'src', 'width', 'height'],
    });
    const content = { __html: sanitized };
    const ratio = getRatio(card);
    const height = width / ratio;
--- a/packages/pl-fe/src/components/scrollable-list.tsx
+++ b/packages/pl-fe/src/components/scrollable-list.tsx
@ -109,7 +109,13 @@ const ScrollableList = React.forwardRef<VirtuosoHandle, IScrollableList>(({
  // Preserve scroll position
  const scrollDataKey = `plfe:scrollData:${scrollKey}:${locationState.key}`;
-  const scrollData: SavedScrollPosition | null = useMemo(() => JSON.parse(sessionStorage.getItem(scrollDataKey)!), [scrollDataKey]);
+  const scrollData: SavedScrollPosition | null = useMemo(() => {
    try {
      return JSON.parse(sessionStorage.getItem(scrollDataKey)!);
    } catch {
      return null;
    }
  }, [scrollDataKey]);
  const topIndex = useRef<number>(scrollData ? scrollData.index : 0);
  const topOffset = useRef<number>(scrollData ? scrollData.offset : 0);
--- a/packages/pl-fe/src/pages/utils/about.tsx
+++ b/packages/pl-fe/src/pages/utils/about.tsx
@ -1,3 +1,4 @@
 import DOMPurify from 'isomorphic-dompurify';
 import React, { useState } from 'react';
 import { FormattedMessage } from 'react-intl';
@ -57,7 +58,7 @@ const About: React.FC<IAbout> = ({ slug }) => {
    <div>
      <Card variant='rounded'>
        <div className='prose mx-auto py-4 dark:prose-invert sm:p-6'>
-          {pageHtml && <div dangerouslySetInnerHTML={{ __html: pageHtml }} />}
+          {pageHtml && <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(pageHtml, { USE_PROFILES: { html: true } }) }} />}
          {alsoAvailable}
        </div>
      </Card>
--- a/packages/pl-fe/src/reducers/auth.ts
+++ b/packages/pl-fe/src/reducers/auth.ts
@ -83,19 +83,23 @@ const NAMESPACE = trim(BuildConfig.FE_SUBDIRECTORY, '/') ? `pl-fe@${BuildConfig.
 const STORAGE_KEY = buildKey([NAMESPACE, 'auth']);
 const getLocalState = (): State | undefined => {
-  const state = JSON.parse(localStorage.getItem(STORAGE_KEY)!);
+  try {
    const state = JSON.parse(localStorage.getItem(STORAGE_KEY)!);
-  if (!state) return undefined;
+    if (!state) return undefined;
-  return ({
+    return ({
-    app: state.app && v.parse(applicationSchema, state.app),
+      app: state.app && v.parse(applicationSchema, state.app),
-    tokens: Object.fromEntries(Object.entries(state.tokens).map(([key, value]) => [key, v.parse(tokenWithAppSchema, value)])),
+      tokens: Object.fromEntries(Object.entries(state.tokens).map(([key, value]) => [key, v.parse(tokenWithAppSchema, value)])),
-    users: Object.fromEntries(Object.entries(state.users).map(([key, value]) => [key, v.parse(authUserSchema, value)])),
+      users: Object.fromEntries(Object.entries(state.users).map(([key, value]) => [key, v.parse(authUserSchema, value)])),
-    me: state.me,
+      me: state.me,
-    client: new PlApiClient(parseBaseURL(state.me) || backendUrl, state.users[state.me]?.access_token, {
+      client: new PlApiClient(parseBaseURL(state.me) || backendUrl, state.users[state.me]?.access_token, {
-      instance,
+        instance,
-    }),
+      }),
-  });
+    });
  } catch {
    return undefined;
  }
 };
 const localState = getLocalState();
--- a/packages/pl-fe/src/utils/redirect.ts
+++ b/packages/pl-fe/src/utils/redirect.ts
@ -4,11 +4,16 @@ const LOCAL_STORAGE_REDIRECT_KEY = 'plfe:redirect_uri';
 const getRedirectUrl = () => {
  let redirectUri = localStorage.getItem(LOCAL_STORAGE_REDIRECT_KEY);
  localStorage.removeItem(LOCAL_STORAGE_REDIRECT_KEY);
  if (redirectUri) {
    redirectUri = decodeURIComponent(redirectUri);
    // Only allow relative paths (not protocol-relative like //evil.com)
    if (!redirectUri.startsWith('/') || redirectUri.startsWith('//')) {
      return '/';
    }
  }
  localStorage.removeItem(LOCAL_STORAGE_REDIRECT_KEY);
  return redirectUri || '/';
 };