Patched html.js

patched.codes[bot] · patched.codes[bot] · commit 2e17671efd00 · 2025-06-18T03:30:48.000Z
diff --git a/html.js b/html.js
@@ -1,7 +1,7 @@
 'use strict'
 import PropTypes from 'prop-types'
 import React, { PureComponent } from 'react'
-import serialize from 'serialize-javascript'
+import DOMPurify from 'dompurify'
 
 // @twreporter
 import webfonts from '@twreporter/react-components/lib/text/utils/webfonts'
@@ -110,17 +110,41 @@ export default class Html extends PureComponent {
           {styleElement}
         </head>
         <body>
-          <div id="root" dangerouslySetInnerHTML={{ __html: contentMarkup }} />
+          <div id="root" 
+            dangerouslySetInnerHTML={{ 
+              __html: DOMPurify.sanitize(contentMarkup, {
+                FORBID_SCRIPTS: true,  // Completely forbid scripts in content
+                FORBID_EVAL: true,
+                FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'form', 'input'],
+                ADD_ATTR: ['target'],
+                ALLOWED_TAGS: [
+                  // Content tags only - no script tags
+                  'div', 'p', 'span', 'a', 'img', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+                  'ul', 'ol', 'li', 'br', 'strong', 'em', 'blockquote', 'figure', 'figcaption',
+                  'table', 'thead', 'tbody', 'tr', 'th', 'td'
+                ],
+                ALLOWED_ATTR: [
+                  'href', 'src', 'alt', 'title', 'class', 'id', 'target'
+                ],
+                CUSTOM_ELEMENT_HANDLING: {
+                  tagNameCheck: /^[a-zA-Z\-]+$/,
+                  attributeNameCheck: /^[a-zA-Z\-]+$/,
+                  allowCustomizedBuiltInElements: false
+                },
+                RETURN_DOM_FRAGMENT: false,
+                RETURN_DOM: false
+              })
+            }} 
+          />
           <script
             defer
             src="https://cdn.polyfill.io/v2/polyfill.min.js?features=Intl.~locale.zh-Hant-TW"
           />
           <script
-            dangerouslySetInnerHTML={{
-              __html: `window.__REDUX_STATE__=${serialize(store.getState())};`,
-            }}
             charSet="UTF-8"
-          />
+          >
+            {`window.__REDUX_STATE__ = ${JSON.stringify(store.getState())};`}
+          </script>
           {_.map(scripts, (script, key) => (
             <script src={script} key={'scripts' + key} charSet="UTF-8" />
           ))}
