aiden
/
memos
mirror of https://github.com/usememos/memos
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
release-please--branches--main--components--memos
main
v0.0.1
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.11.0
v0.11.1
v0.11.2
v0.12.0
v0.12.1
v0.12.2
v0.13.0
v0.13.1
v0.13.2
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.4
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.17.0
v0.17.1
v0.18.0
v0.18.1
v0.18.2
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.20.0
v0.20.1
v0.21.0
v0.22.0
v0.22.1
v0.22.2
v0.22.3
v0.22.4
v0.22.5
v0.23.0
v0.23.0-rc.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.24.4
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.26.0
v0.26.1
v0.26.2
v0.27.0
v0.27.0-rc.1
v0.27.0-rc.2
v0.27.1
v0.28.0
v0.29.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7e21b728b3'
${ noResults }
memos/web/tests/memo-content-security.test.mjs

68 lines
2.8 KiB
JavaScript
Raw Blame History

import assert from "node:assert/strict";
import test from "node:test";
import React from "react";
import { renderToStaticMarkup } from "react-dom/server";
import ReactMarkdown from "react-markdown";
import rehypeKatex from "rehype-katex";
import rehypeRaw from "rehype-raw";
import rehypeSanitize from "rehype-sanitize";
import remarkMath from "remark-math";
import { SANITIZE_SCHEMA, isTrustedIframeSrc } from "../src/components/MemoContent/constants.ts";
const TrustedIframe = (props) => {
if (typeof props.src !== "string" || !isTrustedIframeSrc(props.src)) {
return null;
}
return React.createElement("iframe", props);
};
const renderMemoContent = (content) =>
renderToStaticMarkup(
React.createElement(ReactMarkdown, {
children: content,
remarkPlugins: [remarkMath],
rehypePlugins: [rehypeRaw, [rehypeSanitize, SANITIZE_SCHEMA], [rehypeKatex, { throwOnError: false, strict: false }]],
components: {
iframe: TrustedIframe,
},
}),
);
test("strips user-controlled inline styles from raw HTML spans", () => {
const html = renderMemoContent('<span style="position:fixed;inset:0;z-index:99999">overlay</span>');
assert.match(html, /<span>overlay<\/span>/);
assert.doesNotMatch(html, /style=/);
assert.doesNotMatch(html, /position:fixed/);
});
test("still renders KaTeX output after sanitizing math marker classes", () => {
const html = renderMemoContent("$L$");
assert.match(html, /class="katex"/);
assert.match(html, /class="katex-html"/);
});
test("allows trusted iframe providers only", () => {
assert.equal(isTrustedIframeSrc("https://www.youtube.com/embed/abc123"), true);
assert.equal(isTrustedIframeSrc("https://www.youtube-nocookie.com/embed/abc123?si=test"), true);
assert.equal(isTrustedIframeSrc("https://player.vimeo.com/video/123456"), true);
assert.equal(isTrustedIframeSrc("https://open.spotify.com/embed/track/123456"), true);
assert.equal(isTrustedIframeSrc("https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/123456"), true);
assert.equal(isTrustedIframeSrc("https://www.loom.com/embed/123456"), true);
assert.equal(isTrustedIframeSrc("https://www.google.com/maps/embed?pb=test"), true);
assert.equal(isTrustedIframeSrc("https://app.diagrams.net/?embed=1"), true);
assert.equal(isTrustedIframeSrc("https://www.draw.io/?embed=1"), true);
assert.equal(isTrustedIframeSrc("https://evil.example/embed/abc123"), false);
});
test("drops untrusted iframe embeds during rendering", () => {
const trusted = renderMemoContent('<iframe src="https://www.youtube.com/embed/abc123" title="demo"></iframe>');
const untrusted = renderMemoContent('<iframe src="https://evil.example/embed/abc123" title="demo"></iframe>');
assert.match(trusted, /<iframe/);
assert.match(trusted, /youtube\.com\/embed\/abc123/);
assert.doesNotMatch(untrusted, /<iframe/);
});
Reference in New Issue View Git Blame Copy Permalink