Update home and MBViewer

octospacc · Jan 27, 2024 · 5730543 · 5730543
1 parent 9acf326
commit 5730543
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 11 deletions.
diff --git a/public/Assets/CSS/Dark.css b/public/Assets/CSS/Dark.css
@@ -104,6 +104,7 @@ Body {
 	background-attachment: local, local, scroll, scroll;
 	*/
 	Background-Color: RGBA(36, 36, 36, 0.85);
+	Font-Size: Larger;
 }
 .Footer > .FooterRight { Margin-Right: 12px; }
 

diff --git a/public/Assets/Lib/Trasformapi.js b/public/Assets/Lib/Trasformapi.js
@@ -140,7 +140,7 @@ function _TransformForOutput (transformerTree, initOptions, entityName, upstream
 // TODO: 'document' won't work on nodejs, must change it
 function GetElementsByXPath (xpath, parent) {
 	let results = [];
-	let query = document.evaluate(xpath, parent || document, ((ns) => ns), XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
+	let query = (parent?.getRootNode() || document).evaluate(xpath, (parent || document), ((ns) => ns), XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
 	for (let i=0, length=query.snapshotLength; i<length; ++i) {
 		results.push(query.snapshotItem(i));
 	}

diff --git a/public/Assets/Lib/cleanHTML.js b/public/Assets/Lib/cleanHTML.js
@@ -0,0 +1,84 @@
+/**
+ * Sanitize an HTML string
+ * (c) Chris Ferdinandi, MIT License, https://gomakethings.com
+ * @param  {String}          str   The HTML string to sanitize
+ * @param  {Boolean}         nodes If true, returns HTML nodes instead of a string
+ * @return {String|NodeList}       The sanitized string or nodes
+ */
+function cleanHTML (str, nodes) {
+
+	/**
+	 * Convert the string to an HTML document
+	 * @return {Node} An HTML document
+	 */
+	function stringToHTML () {
+		let parser = new DOMParser();
+		let doc = parser.parseFromString(str, 'text/html');
+		return doc.body || document.createElement('body');
+	}
+
+	/**
+	 * Remove <script> elements
+	 * @param  {Node} html The HTML
+	 */
+	function removeScripts (html) {
+		let scripts = html.querySelectorAll('script');
+		for (let script of scripts) {
+			script.remove();
+		}
+	}
+
+	/**
+	 * Check if the attribute is potentially dangerous
+	 * @param  {String}  name  The attribute name
+	 * @param  {String}  value The attribute value
+	 * @return {Boolean}       If true, the attribute is potentially dangerous
+	 */
+	function isPossiblyDangerous (name, value) {
+		let val = value.replace(/\s+/g, '').toLowerCase();
+		if (['src', 'href', 'xlink:href'].includes(name)) {
+			if (val.includes('javascript:') || val.includes('data:')) return true;
+		}
+		if (name.startsWith('on')) return true;
+	}
+
+	/**
+	 * Remove potentially dangerous attributes from an element
+	 * @param  {Node} elem The element
+	 */
+	function removeAttributes (elem) {
+
+		// Loop through each attribute
+		// If it's dangerous, remove it
+		let atts = elem.attributes;
+		for (let {name, value} of atts) {
+			if (!isPossiblyDangerous(name, value)) continue;
+			elem.removeAttribute(name);
+		}
+
+	}
+
+	/**
+	 * Remove dangerous stuff from the HTML document's nodes
+	 * @param  {Node} html The HTML document
+	 */
+	function clean (html) {
+		let nodes = html.children;
+		for (let node of nodes) {
+			removeAttributes(node);
+			clean(node);
+		}
+	}
+
+	// Convert the string to HTML
+	let html = stringToHTML();
+
+	// Sanitize it
+	removeScripts(html);
+	clean(html);
+
+	// If the user wants HTML nodes back, return them
+	// Otherwise, pass a sanitized string back
+	return nodes ? html.childNodes : html.innerHTML;
+
+}
diff --git a/public/MBViewer/index.html b/public/MBViewer/index.html
@@ -207,6 +207,7 @@ <h5><a href="//core.telegram.org/">Platform</a></h5>
 		<script src="../Assets/Lib/lodash.custom.min.js"></script>
 		<script src="../Assets/Lib/defiant.min.js"></script>
 		<script src="../Assets/Lib/Trasformapi.js"></script>
+		<script src="../Assets/Lib/cleanHTML.js"></script>
 		<script src="./js/TrasformapiSchema.js.xml"></script>
 		<script src="./js/MBViewer.js"></script>
 		<script>

diff --git a/public/MBViewer/js/MBViewer.js b/public/MBViewer/js/MBViewer.js
@@ -7,18 +7,16 @@
 // * in-app search of site content
 // * homepage with history and sponsored sources
 // * don't show redundant day markers
-// * other supported sources
-// ** Markdown WordPress export pages from Git?
-// ** Atom/RSS feeds
-// * app info in page without JS?
-// * fix some messages being skipped when connection errors happen
+// * fetch and compile to show Markdown WordPress export pages from Git?
+// * app info in main page without JS?
+// * fix some messages being skipped when connection errors happen (already done?)
 // * optionally show post titles?
-// * fix unfinished tasks still executing when clicking back
-// * fix imported SVG buttons not fitting with dark theme
+// * fix some unfinished tasks still executing when clicking back
 // * I think we might need to handle acronicized names for users when needed?
 // * show, and/or sort by, posts tags/categories
 // * scroll to post id when loading from dataInject or RSS
 // * fix XML feeds parsing on Firefox
+// * allow for an HTML transformation script to be loaded (JS is unsafe) (how?)
 
 let MbState = {};
 let MbApiTransformer;
@@ -374,7 +372,7 @@ async function MbViewerInit () {
 			So, here are some new changes:
 			<br/> * Fixed video embed fullscreen, and added a reload button in case load fails
 			<br/> * Initial support for handling data via Trasformapi lib
-			<br/> * Initial, experimental support for RSS feeds specifically, via Transformapi (very broken)
+			<br/> * Initial, experimental support for RSS feeds specifically, via Trasformapi (very broken)
 		</p>`, time: '2024-01-23T01:00' }, { content: `<p>
 			New changes:
 			<br/> * Updated Trasformapi.js with misc fixes, query constants, and streamlined/powerful data querying
@@ -389,6 +387,11 @@ async function MbViewerInit () {
 			Regarding Trasformapi, I transformed some of my development tears into words, read here if you're curious:
 			<a href="https://octospacc.altervista.org/2024/01/25/mbviewer-per-distrarci/">https://octospacc.altervista.org/2024/01/25/mbviewer-per-distrarci/</a>.
 		</p>`, time: '2024-01-25T01:00' }, { content: `<p>
+			Some small things:
+			<br/> * Fixed RSS feeds parsing on Firefox (mentioned in the post linked above), by fixing a bug in Trasformapi
+			<br/> * HTML is now sanitized for removal of dangerous tags and attributes before displaying
+			<br/> * Support including user-defined CSS rules from URL (<code>data:</code> supported) via the "<code>includeStyle</code>" argument
+		</p>`, time: '2024-01-27T20:00' }, { content: `<p>
 			Copyright notice: MBViewer uses code borrowed from <a href="https://t.me">t.me</a>,
 			specially modified to handle customized data visualizations in an MB-style.
 			<br/>
@@ -405,6 +408,18 @@ async function MbViewerInit () {
 	} else {
 		$('.tgme_page_photo_image').addClass(`bgcolor${MbState.siteData.bgColor}`);
 	}
+	RefreshIncludeStyle();
+}
+
+function RefreshIncludeStyle () {
+	document.querySelector('link[href][rel="stylesheet"]#MbViewerIncludeStyle')?.remove();
+	if (MbState.args.includestyle) {
+		const linkElem = document.createElement('link');
+		linkElem.id = 'MbViewerIncludeStyle';
+		linkElem.rel = 'stylesheet';
+		linkElem.href = MbState.args.includestyle;
+		document.body.appendChild(linkElem);
+	}
 }
 
 function MakeMoreWrapperHtml (wrapType) {
@@ -533,7 +548,7 @@ async function MakeMbHtml (postData, makeMoreWrap) {
 }
 
 function ReformatPostHtml (html) {
-	const content = $(`<div>${html}</div>`);
+	const content = $(`<div>${cleanHTML(html, false)}</div>`);
 	// bypass Altervista's anti-hotlinking protection by hiding our HTTP Referer header
 	// TODO: only do this for altervista sites maybe
 	if (MbState.platform === 'wordpress.org') {
@@ -589,7 +604,7 @@ function ResizeLayouts () {
 }
 
 $('a[name="goBack"]')[0].onclick = function(){
-	ArgsRewrite({ dataurl: null, siteurl: null, postid: null, platform: null, /*postslug: null*/ });
+	ArgsRewrite({ dataurl: null, siteurl: null, postid: null, platform: null, includestyle: null /*postslug: null*/ });
 };
 
 window.onmessage = function(event){