From 81a062a70b54de42c66cb23e98d44f0741506b3e Mon Sep 17 00:00:00 2001
From: moonrailgun <moonrailgun@gmail.com>
Date: Sun, 10 Sep 2023 23:00:08 +0800
Subject: [PATCH] fix: fix xss attacks caused by security issues in custom web
 group panels

---
 .../src/group/GroupCustomWebPanelRender.tsx                | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/client/web/plugins/com.msgbyte.webview/src/group/GroupCustomWebPanelRender.tsx b/client/web/plugins/com.msgbyte.webview/src/group/GroupCustomWebPanelRender.tsx
index 38387441..131a536c 100644
--- a/client/web/plugins/com.msgbyte.webview/src/group/GroupCustomWebPanelRender.tsx
+++ b/client/web/plugins/com.msgbyte.webview/src/group/GroupCustomWebPanelRender.tsx
@@ -1,6 +1,6 @@
 import React, { useEffect, useRef, useState } from 'react';
 import { Translate } from '../translate';
-import { FilterXSS } from 'xss';
+import { FilterXSS, getDefaultWhiteList } from 'xss';
 import { useWatch } from '@capital/common';
 import { GroupExtraDataPanel, NoData, TextArea } from '@capital/component';
 import styled from 'styled-components';
@@ -26,10 +26,9 @@ const EditModalContent = styled.div`
 
 const xss = new FilterXSS({
   css: false,
+  whiteList: { ...getDefaultWhiteList(), iframe: ['src', 'style', 'class'] },
   onIgnoreTag: function (tag, html, options) {
-    if (
-      ['html', 'body', 'head', 'meta', 'style', 'iframe', 'div'].includes(tag)
-    ) {
+    if (['html', 'body', 'head', 'meta', 'style', 'div'].includes(tag)) {
       // 不对其属性列表进行过滤
       return html;
     }