Update XSS values to be consistent with knossos

Implements modrinth/knossos#1208 Implements modrinth/knossos#1239 Also closes modrinth/knossos#1371
modrinth · Sep 17, 2023 · 549514e · 549514e
1 parent ae7f7e9
commit 549514e
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/lib/helpers/parse.js b/lib/helpers/parse.js
@@ -20,11 +20,14 @@ export const configuredXss = new xss.FilterXSS({
     a: [...xss.whiteList.a, 'rel'],
     td: [...xss.whiteList.td, 'style'],
     th: [...xss.whiteList.th, 'style'],
+    picture: [],
+    source: ['media', 'sizes', 'src', 'srcset', 'type'],
   },
   css: {
     whiteList: {
       'image-rendering': /^pixelated$/,
       'text-align': /^center|left|right$/,
+      float: /^left|right$/,
     },
   },
   onIgnoreTagAttr: (tag, name, value) => {
@@ -68,6 +71,10 @@ export const configuredXss = new xss.FilterXSS({
       try {
         const url = new URL(value)
 
+        if (url.hostname.includes('wsrv.nl')) {
+          url.searchParams.delete('errorredirect')
+        }
+
         const allowedHostnames = [
           'imgur.com',
           'i.imgur.com',
@@ -88,9 +95,11 @@ export const configuredXss = new xss.FilterXSS({
           return xss.safeAttrValue(
             tag,
             name,
-            `https://wsrv.nl/?url=${encodeURIComponent(value)}&n=-1`,
+            `https://wsrv.nl/?url=${encodeURIComponent(url.toString())}&n=-1`,
             cssFilter
           )
+        } else {
+          return xss.safeAttrValue(tag, name, url.toString(), cssFilter)
         }
       } catch (err) {
         /* empty */