mirror of
https://github.com/M66B/FairEmail.git
synced 2024-12-22 07:42:52 +00:00
Sanitize HTML
This commit is contained in:
parent
950871da2d
commit
842797ae02
4 changed files with 13 additions and 3 deletions
2
FAQ.md
2
FAQ.md
|
@ -4997,6 +4997,8 @@ With a sufficiently long/complex password, which is communicated to the recipien
|
||||||
|
|
||||||
The maximum message text is 1,500 characters, which includes HTML formatting tags.
|
The maximum message text is 1,500 characters, which includes HTML formatting tags.
|
||||||
|
|
||||||
|
Cross-site scripting (XSS) is prevented by using [DOMPurify](https://github.com/cure53/DOMPurify) (Apache License Version 2.0).
|
||||||
|
|
||||||
This feature is available since version 1.1985. This feature is not available in the Play store version of the app.
|
This feature is available since version 1.1985. This feature is not available in the Play store version of the app.
|
||||||
|
|
||||||
Sending protected text is a pro feature, decrypting protected text is a free feature.
|
Sending protected text is a pro feature, decrypting protected text is a free feature.
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
<meta name="robots" content="noindex">
|
<meta name="robots" content="noindex">
|
||||||
|
|
||||||
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
|
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
|
||||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';">
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline' *.faircode.eu;">
|
||||||
|
|
||||||
<style>
|
<style>
|
||||||
body { padding-left: 10px; padding-right: 10px; font-family: Arial, Helvetica, sans-serif; }
|
body { padding-left: 10px; padding-right: 10px; font-family: Arial, Helvetica, sans-serif; }
|
||||||
|
@ -26,6 +26,9 @@
|
||||||
</style>
|
</style>
|
||||||
</noscript>
|
</noscript>
|
||||||
|
|
||||||
|
<!-- https://github.com/cure53/DOMPurify 2.4.0 -->
|
||||||
|
<script src="https://email.faircode.eu/decrypt/purify.min.js"></script>
|
||||||
|
|
||||||
<script>
|
<script>
|
||||||
window.addEventListener('load', load);
|
window.addEventListener('load', load);
|
||||||
|
|
||||||
|
@ -85,10 +88,11 @@
|
||||||
if (!password.value)
|
if (!password.value)
|
||||||
throw new Error('Password required');
|
throw new Error('Password required');
|
||||||
|
|
||||||
let html = await _decrypt(password.value);
|
let dirty = await _decrypt(password.value);
|
||||||
|
let clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });
|
||||||
|
|
||||||
form.style.display = 'none';
|
form.style.display = 'none';
|
||||||
message.innerHTML = html;
|
message.innerHTML = clean;
|
||||||
message.style.display = 'block';
|
message.style.display = 'block';
|
||||||
copyright.style.display = 'none';
|
copyright.style.display = 'none';
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|
3
decrypt/purify.min.js
vendored
Normal file
3
decrypt/purify.min.js
vendored
Normal file
File diff suppressed because one or more lines are too long
1
decrypt/purify.min.js.map
Normal file
1
decrypt/purify.min.js.map
Normal file
File diff suppressed because one or more lines are too long
Loading…
Reference in a new issue