1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2024-12-22 07:42:52 +00:00

Sanitize HTML

This commit is contained in:
M66B 2022-10-17 18:40:41 +02:00
parent 950871da2d
commit 842797ae02
4 changed files with 13 additions and 3 deletions

2
FAQ.md
View file

@ -4997,6 +4997,8 @@ With a sufficiently long/complex password, which is communicated to the recipien
The maximum message text is 1,500 characters, which includes HTML formatting tags. The maximum message text is 1,500 characters, which includes HTML formatting tags.
Cross-site scripting (XSS) is prevented by using [DOMPurify](https://github.com/cure53/DOMPurify) (Apache License Version 2.0).
This feature is available since version 1.1985. This feature is not available in the Play store version of the app. This feature is available since version 1.1985. This feature is not available in the Play store version of the app.
Sending protected text is a pro feature, decrypting protected text is a free feature. Sending protected text is a pro feature, decrypting protected text is a free feature.

View file

@ -11,7 +11,7 @@
<meta name="robots" content="noindex"> <meta name="robots" content="noindex">
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP --> <!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"> <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline' *.faircode.eu;">
<style> <style>
body { padding-left: 10px; padding-right: 10px; font-family: Arial, Helvetica, sans-serif; } body { padding-left: 10px; padding-right: 10px; font-family: Arial, Helvetica, sans-serif; }
@ -26,6 +26,9 @@
</style> </style>
</noscript> </noscript>
<!-- https://github.com/cure53/DOMPurify 2.4.0 -->
<script src="https://email.faircode.eu/decrypt/purify.min.js"></script>
<script> <script>
window.addEventListener('load', load); window.addEventListener('load', load);
@ -85,10 +88,11 @@
if (!password.value) if (!password.value)
throw new Error('Password required'); throw new Error('Password required');
let html = await _decrypt(password.value); let dirty = await _decrypt(password.value);
let clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });
form.style.display = 'none'; form.style.display = 'none';
message.innerHTML = html; message.innerHTML = clean;
message.style.display = 'block'; message.style.display = 'block';
copyright.style.display = 'none'; copyright.style.display = 'none';
} catch (e) { } catch (e) {

3
decrypt/purify.min.js vendored Normal file

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long